Solved: How to re-index data to one indexer when a forward...

DanielFordWA · ‎05-17-2016

I have the following configuration on my forwarder.

[tcpout]
defaultGroup=indexer1,indexer2,indexer3

[tcpout:indexer1]
server=[*indexer1*]

[tcpout:indexer2]
server=[*indexer2*]

[tcpout:indexer3]
server=[*indexer3*]

The props.conf was configured incorrectly on indexer2.

I need to re-index all the data on this server to indexer2.

How can I do this without reindexing data for indexer1 and indexer3?

There are hundreds of files, so oneshot does not seem to be an option.

I know about deleting the fishbucket on the forwarder, but again, this would send data to all indexers.

Hope you can help!

Thanks,

Dan

somesoni2 · ‎05-17-2016

You can try this

1) Create a new directory on the forwarder server to store the files that needs to be re-indexed (if original dir is /var/opt/abc/xyz/something.log, create a dir /var/opt/abc/xyz_resend) and copy the files needing re-indexing

2) Create a new entry in inputs.conf (wherever you like, preferably under an app OR etc/system/local) to monitor the files in this new directory. Specify the property _TCP_ROUTING for this monitoring stanza to send this to only indexer2.
inputs.conf.

[monitor:///var/opt/abc/xyz_resend/something.log]
index=...
sourcetype=...
_TCP_ROUTING=tcpoutgroupNameforIndexer2

See this for more information on _TCP_ROUTING attribute http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Inputsconf

3) Restart the forwarder and you should be done. You can remove the inputs.conf change once done OR keep this in case you need this in future.

View solution in original post

somesoni2 · ‎05-17-2016

You can try this

1) Create a new directory on the forwarder server to store the files that needs to be re-indexed (if original dir is /var/opt/abc/xyz/something.log, create a dir /var/opt/abc/xyz_resend) and copy the files needing re-indexing

2) Create a new entry in inputs.conf (wherever you like, preferably under an app OR etc/system/local) to monitor the files in this new directory. Specify the property _TCP_ROUTING for this monitoring stanza to send this to only indexer2.
inputs.conf.

[monitor:///var/opt/abc/xyz_resend/something.log]
index=...
sourcetype=...
_TCP_ROUTING=tcpoutgroupNameforIndexer2

See this for more information on _TCP_ROUTING attribute http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Inputsconf

3) Restart the forwarder and you should be done. You can remove the inputs.conf change once done OR keep this in case you need this in future.

DanielFordWA · ‎05-19-2016

Just to confirm, the above method should work on 6.2.0 forwarders?

If I have another input, from the same forwarder, feeding the most recent data to Indexer2, to the same index and with the same sourcetype, at the same time as the back load, would this cause an issue?

I missed 'crcSalt = ' off the resend input so will try again with a new folder.

At the moment I am getting the most recent data but no data off the resend folder.

DanielFordWA · ‎05-19-2016

still no luck even with crcSalt

masonmorales · ‎05-17-2016

1) Stop Splunk on indexer1 and indexer 2
2) Copy the $SPLUNK_DB sub-directories of all relevant indexes from indexer 1 over to indexer 2
3) Extract a Splunk package over the existing Splunk installation on indexer 2
4) Start Splunk on both instances

How to re-index data to one indexer when a forwarder is configured to send to two indexers?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation