Solved: Re: How to condense data from 4 non-clustered inde...

john_miller1 · ‎02-18-2015

I currently have 4 indexers setup as VMs. Each indexer has dedicated LUNs for their data. I'm trying to find a way to preserve data while condensing the 4 virtual indexers into a single dedicated hardware host. Any fairly straight forward method to do so or is it a situation where I am better off keeping them for historical purposes for a year (PCI data) and have all of my forwarders just start writing to the new indexer?

effem · ‎02-18-2015

A way to do so, would be, to roll everything over to archive (frozen) and reindex it on the new host.

See http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Automatearchiving
and: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Restorearchiveddata

This is not tied to the origin indexer. So there will be no problem with bucket-id's and stuff.
The only problem is the time you need, to roll it over and back again.

View solution in original post

effem · ‎02-18-2015

A way to do so, would be, to roll everything over to archive (frozen) and reindex it on the new host.

See http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Automatearchiving
and: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Restorearchiveddata

This is not tied to the origin indexer. So there will be no problem with bucket-id's and stuff.
The only problem is the time you need, to roll it over and back again.

john_miller1 · ‎02-18-2015

Outstanding, thanks for info! I'll give this a shot!

effem · ‎02-18-2015

Don't forget to add a partition to your "frozen"-directory e.g. giving it a folder in your indexes.conf.

If you miss that, your data will be deleted!

How to condense data from 4 non-clustered indexers that are set up as VMs into a single dedicated hardware server?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!