Getting Data In

How to condense data from 4 non-clustered indexers that are set up as VMs into a single dedicated hardware server?

Explorer

I currently have 4 indexers setup as VMs. Each indexer has dedicated LUNs for their data. I'm trying to find a way to preserve data while condensing the 4 virtual indexers into a single dedicated hardware host. Any fairly straight forward method to do so or is it a situation where I am better off keeping them for historical purposes for a year (PCI data) and have all of my forwarders just start writing to the new indexer?

Tags (2)
0 Karma
1 Solution

Communicator

A way to do so, would be, to roll everything over to archive (frozen) and reindex it on the new host.

See http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Automatearchiving
and: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Restorearchiveddata

This is not tied to the origin indexer. So there will be no problem with bucket-id's and stuff.
The only problem is the time you need, to roll it over and back again.

View solution in original post

Communicator

A way to do so, would be, to roll everything over to archive (frozen) and reindex it on the new host.

See http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Automatearchiving
and: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Restorearchiveddata

This is not tied to the origin indexer. So there will be no problem with bucket-id's and stuff.
The only problem is the time you need, to roll it over and back again.

View solution in original post

Explorer

Outstanding, thanks for info! I'll give this a shot!

0 Karma

Communicator

Don't forget to add a partition to your "frozen"-directory e.g. giving it a folder in your indexes.conf.

If you miss that, your data will be deleted!