Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forwarding one instance to another
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a splunk server setup on an internal network which has differing numbers of machines all using either syslog or the splunk forwarder to send on event or log information to the main server.
This network is not accessible externally so I have setup an external server.
Inside the internal one I then set it to forward everything and to keep a copy on itself, thus hopefully creating two servers containing identical data.
It has kind of worked. The internal one and external one are pretty much perfectly synced and have all the latest details, however the external one only has events going back as far as 3pm yesterday? The internal server has events going back to the middle of last week.
I did leave it overnight to try a reboot this morning to see if it was any different but it is still the same, does anyone have any ideas why this might be?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Draineh,
Are you saying the external server now is updated since the earliest event it received, or that it always maintains just a day (or so) of data in it?
When you configure a data clone, it will only send data from the time you set it up (its a copy not a sync). So if you did this after 3PM on the day in question, you will have nothing before that time but should have everything since.
Best,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Draineh,
If now you are asking about bucket migration, yes that is possible. Since Splunk uses a flatfile data structure, you can just move the buckets around as necessary from system to system.
You do want to be sure of a few things:
- The bucket isn't a hot bucket (roll the bucket first, if so)
- That splunk isn't currently using the bucket when you move it
- That the destination system doesn't have a duplicate bucket name already
Here are some high-level instructions: http://www.splunk.com/wiki/Community:MoveIndexes
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Draineh,
Are you saying the external server now is updated since the earliest event it received, or that it always maintains just a day (or so) of data in it?
When you configure a data clone, it will only send data from the time you set it up (its a copy not a sync). So if you did this after 3PM on the day in question, you will have nothing before that time but should have everything since.
Best,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. That may well be the case, I have alot happening in here so I find it difficult maintaining what time I have started things. Is it safe/possible if I was to copy and paste the db folders for the indexes from the internal server to the external server? I basically have some log data on the internal server which I need to be on the external server for some people to work with
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
