Hi @krusty, just adding more information:

The new indexers will not have historical data, so If you need to query them, my suggestion is to keep the indexers until the data retention reach out, or you no longer need the historical data.

If you have any heavy forwarder sending data to the indexer cluster, you also have to update the outputs.conf with the new indexer peers as well

for further information, please check this document link ->https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Addclusterpeer

Hi

One of clusters base features is rebalancing (as asked and/or when e.g. nodes restarted) buckets. This is way how you could and should transfer old buckets from old nodes to the new ones (Rebalance indexer cluster primary bucket copies).This ensure that all nodes have approximately same amount of searchable buckets. After you have rebalanced the buckets then you should take old peers away with Take a peer down permanently: the enforce-counts offline command which automatically "move" rest copies to another search peer. After all primary copies have transferred to another peer it will go down and you could decommission it. Then you should remove the second old peer.

Also you must put old peers into detention mode or otherwise those will get new data all time (at least replicas).             Put a peer into detention          

r. Ismo

Hi soutamo,

thanks for your answers and links to the docs.
I have read the docs but I do not fully understood how it will work. Maybe you can help me again. 😉
This is the first time I have to do such an operation to our productive systems. Therefore I like to be sure that I do not do any mistake.
This is what I understood from the docs:

• Stop new external data input
  Verify that all forwarders will send data only to the new peers. So that only internal data will be indexed for the moment.
  Is there a way to check if all incoming data are no longer use the "old" indexers? I checked the different menu's from Monitoring Console but could not find any usable report. So I tried searching with this SPL:

index=* source=* splunk_server="<old indexer1>" OR splunk_server="<old indexer2>" | stats count by host

• Set "old" indexer peers in detention mode
  To stop indexing new internal and external data I have to switch the old indexers into detetion mode.
  Command to use from the command line of the "old" peer.

splunk edit cluster-config -auth <username>:<password> -manual_detention on

• Initiate data rebalancing for all existing indexes by entering this command

splunk rebalance cluster-data -action start -searchable true
Will the master automatically detect which indexes and data needs to be replicated?

• Remove a peer from the master's list

splunk remove cluster-peers -peers <guid>,<guid>

I read I have to take the peer "down" or "gracefulshutdown" before I can remove the peer. Will it be enough to take the node offline?

How can I check before removing the peer from the cluster that all buckets are replicated to the "new" indexers? Do you have any check search available?

Hope I do not miss anything and the foreseen procedure is correct. As I said, this is the first time I have to do such a task.

Many thanks.

Hi soutamo,

after a while I was able to do all the steps and now the old indexer/peers are removed from our environment. Everything works as expected.

Thanks a lot for your help.