Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the next steps to prep servers for retirement?

discenzadoe
Explorer
‎04-18-2022 06:10 AM

We have a distributed search environment, with 2 very old indexers (the original servers) and 3 new indexers in a cluster. 

The old indexers have been removed from the destination lists in outputs.conf nearly everywhere, and most of the data is between 5 and 6 months old, except for internal indexes.

I can't find what my next steps are to prep these servers for retirement, such as force-freezing the buckets they still hold, etc. 

Suggestions?

Thanks.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-18-2022 07:57 AM

I read the OP as saying all five indexers are in a cluster.

Since you mention force-freezing data I presume you don't need to keep the data on these indexers.  Is that right?

If you don't want to keep the data then just remove the indexers from each SH's list of search peers then shut them down.

If you do want to keep the data then the buckets will have to be converted into cluster format and copied to the other indexers.  Then each clustered indexer will have to be restarted to import the new buckets.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-18-2022 07:37 AM

The first step is to remove the old indexers from outputs.conf *everywhere*, not just nearly.

The next step is to run the command splunk offline --enforce-counts on one indexer.  This will tell the cluster to make sure the buckets on the old indexer exist elsewhere in the cluster.  Then the indexer will stop itself.

The last step is to repeat the previous step on the remaining indexer.

See https://docs.splunk.com/Documentation/Splunk/8.2.6/Indexer/Takeapeeroffline#Take_a_peer_down_permane...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

discenzadoe
Explorer
‎04-18-2022 07:43 AM

What I meant by *nearly* everywhere is that there are some decommissioned server VMs that have been restarted (rarely), with a UF pointing to the old indexers. I don't have the rights to activate all of the old servers to make certain nothing still points to the indexers I wish to retire.

Additionally, the two indexers in question are *not* cluster members, so the command you listed would have zero effect on the standalone boxes.

Before the introduction of the indexer cluster, we had two indexers essentially load-balancing each other in distributed search, and those indexers are what I'm trying to retire.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-18-2022 07:57 AM

I read the OP as saying all five indexers are in a cluster.

Since you mention force-freezing data I presume you don't need to keep the data on these indexers.  Is that right?

If you don't want to keep the data then just remove the indexers from each SH's list of search peers then shut them down.

If you do want to keep the data then the buckets will have to be converted into cluster format and copied to the other indexers.  Then each clustered indexer will have to be restarted to import the new buckets.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...