Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Copying one Index from a Cluster to a single install for test

robertlynch2020
Influencer
‎06-26-2024 04:03 AM

HI

I have a cluster(3 indexers) with data and I want to copy one index "logs_Test" data to a single install for testing.

Can I copy it from the back end on all 3 and bring them together, I feel this won't work.

Can I export it from the Search head to a new index and then move that?

Any ideas would be great 

Thanks in advance

Robbie

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2024 05:05 AM

The answer depends on what you intend to test, but you should be able to treat the data as frozen and copy the buckets from all 3 indexers into the thawed directory to a standalone indexer.  See https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Restorearchiveddata for how to thaw data.

---
If this reply helps you, Karma would be appreciated.
Reply

robertlynch2020
Influencer
‎06-26-2024 09:21 AM

Hi

Thanks for this.

I have the following on 3 indexers.

robertlynch2020_0-1719418691243.png

 

In the DB folder, the hot buckets have the same name on some indexes, so I don't think I can copy these. Perhaps I should not copy them over and go for the other ones.

robertlynch2020_1-1719418764121.png

I also see the data in the datamodel_summary section, but I have no data models on this data.

Perhaps I don't need to copy these as well?

Cheers

Rob

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...