Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to migrate warm and thawed data from non-clustered indexers to a s2 index cluster?

Glasses
Builder
‎10-29-2020 07:08 AM

HI,

I am cutting over non-clustered indexers (v7.3.3) to a new smart store (s2) index cluster (v8.0.6).

Currently I have all new incoming data going to the new s2 idx cluster, and the old indexers are not taking on any new data.  All coldToFrozen time settings on the old indexers are commented out/ stopped.  In other words, the warm data is not growing or rolling off to frozen.

Our challenge is getting the non-frozen data and the frozen data into the new s2 indexer cluster so we can decom' the legacy non-clustered indexers.

Our plan is to start with the non-frozen data first, then thaw the frozen data and move that into the s2 idx cluster.

We have been reading splunk documentation but we are still a little confused by the process.

Splunk reference we are looking at>>>

https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/MigratestandalonetoSmartStore

Is there any other documentation we should review as well or will this process work for us?

If anyone has experience with this type of data migration, any advice is much appreciated.  We welcome any suggestions to tackle this migration.

 

Thank you

 

 

Labels (2)
Labels
0 Karma
Reply

Glasses
Builder
‎10-29-2020 08:25 AM

I see what you are saying in this doc>> https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Migratenon-clusteredindexerstoaclusterede...

Under this heading >>>

Is there any way to migrate my legacy data?

Because of the high processing cost of converting standalone buckets to replicated buckets (due to the need to make multiple searchable and non-searchable copies of those buckets to fulfill the cluster's replication and search factors), it is generally a bad idea to attempt to do so, particularly in the case of indexers with large numbers of standalone buckets. There is no supported procedure for this conversion. If, however, you have a strong need for such a conversion, contact Splunk Professional Services to discuss the trade-offs and requirements for this operation.

But I find that statement from Splunk unacceptable... we pay for support, so they should share the process.

If anyone else knows how to do this, please reply.

Thank you

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-29-2020 07:15 AM
If I understood right your requirement then you must contact to Professional Services and ask their helps, if you really want migrate unclustered data from old indexer node to the new clustered indexers. If you found any other reliable way to do it, I'm interested too 😉

Another option is just copy that data to some S3 buckets and waiting that it will aged out.
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...