Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

import events to an index

sigma
Path Finder
‎10-07-2023 01:47 AM

Hi all,

I deployed Splunk and enabled indexer clustering.
Then I created an index in master-apps and it has been replicated to peer nodes. Now I want to export some event from an index and import to the newly created index. I tested multiple methods:

I export events using following command:

./splunk cmd exporttool /opt/splunk/var/lib/splunk/defaultdb/db/db_1305913172_1301920239_29/  /myexportpath/export1.csv  -et 1302393600 -lt 1302480000 -csv

and import the result using following command:

./splunk cmd importtool /opt/splunk/var/lib/splunk/defaultdb/db /myexportpath/export1.csv

 but the data not replicated to indexers.

I tried another method using UI in cluster master. I import my events to newly created index. In the cluster master search everything is OK but this events not replicated to the indexers.

Note that my newly index does not shown in the indexes tab in indexer clustering: manger node. There are just three indexes: _internal, _audit, _telementry

I think I did a wrong way to do this. Does anyone have an idea?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-07-2023 03:05 AM

I haven't used the importtool myself but the logical thing to do is to run it on an indexer. If you run it on the master, it has no way of replicating the data to indexers because master is  not a part of the "replication group"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-07-2023 02:10 AM

Hi @sigma,

did you tried from Search Heads using the collect command (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Collect)?

In other words: you run a search on one index and then you use the collect command:

index=old_index
| collect index=new_index

Obviously you can define the time period to export.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...