Getting Data In

Copying one Index from a Cluster to a single install for test

robertlynch2020
Influencer

HI

I have a cluster(3 indexers) with data and I want to copy one index "logs_Test" data to a single install for testing.

Can I copy it from the back end on all 3 and bring them together, I feel this won't work.

Can I export it from the Search head to a new index and then move that?

Any ideas would be great 

Thanks in advance

Robbie

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The answer depends on what you intend to test, but you should be able to treat the data as frozen and copy the buckets from all 3 indexers into the thawed directory to a standalone indexer.  See https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Restorearchiveddata for how to thaw data.

---
If this reply helps you, Karma would be appreciated.

robertlynch2020
Influencer

Hi

Thanks for this.

I have the following on 3 indexers.

robertlynch2020_0-1719418691243.png

 

In the DB folder, the hot buckets have the same name on some indexes, so I don't think I can copy these. Perhaps I should not copy them over and go for the other ones.

robertlynch2020_1-1719418764121.png

I also see the data in the datamodel_summary section, but I have no data models on this data.

Perhaps I don't need to copy these as well?

Cheers

Rob

 

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...