Solved: How to condense data from 4 non-clustered indexers...

john_miller1 · ‎02-18-2015

I currently have 4 indexers setup as VMs. Each indexer has dedicated LUNs for their data. I'm trying to find a way to preserve data while condensing the 4 virtual indexers into a single dedicated hardware host. Any fairly straight forward method to do so or is it a situation where I am better off keeping them for historical purposes for a year (PCI data) and have all of my forwarders just start writing to the new indexer?

effem · ‎02-18-2015

A way to do so, would be, to roll everything over to archive (frozen) and reindex it on the new host.

See http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Automatearchiving
and: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Restorearchiveddata

This is not tied to the origin indexer. So there will be no problem with bucket-id's and stuff.
The only problem is the time you need, to roll it over and back again.

View solution in original post

effem · ‎02-18-2015

A way to do so, would be, to roll everything over to archive (frozen) and reindex it on the new host.

See http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Automatearchiving
and: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Restorearchiveddata

This is not tied to the origin indexer. So there will be no problem with bucket-id's and stuff.
The only problem is the time you need, to roll it over and back again.

john_miller1 · ‎02-18-2015

Outstanding, thanks for info! I'll give this a shot!

effem · ‎02-18-2015

Don't forget to add a partition to your "frozen"-directory e.g. giving it a folder in your indexes.conf.

If you miss that, your data will be deleted!

How to condense data from 4 non-clustered indexers that are set up as VMs into a single dedicated hardware server?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes