How do you transfer indexes stored in a search hea...

charleschen8 · ‎10-23-2017

We have a Splunk environment with 1 search head, multiple indexers, and search peers. Currently search head stores a huge amount of Indexed data. Our requirement is to migrate Search head and Indexers/search peers to new servers. While doing this , we want to reduce volume of Indexed data in new search head, so we are thinking of distributing indexed data from search head to other peers.

All the servers are Windows based and version of Splunk is 7.0

Please let us know what is the right way of doing it.

Along with it , can you please also share instructions to be followed while migrating Indexers/Search peers and License server from one server to another ?

iandrews_splunk · ‎10-23-2017

Charles,

Moving indexed data can be as simple as stopping splunk, moving the index directories, then starting it back up. However, there are some issues that can arise, based on your setup. I suggest you read https://wiki.splunk.com/Community:MoveIndexes and http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Moveanindex thoroughly, have backups, and test it beforehand.

As for license masters, just upload your license to a new master and point your new servers to it. License masters are pretty straight forward.

How do you transfer indexes stored in a search head to other search peers?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...