Getting Data In

Is it possible to migrate summary indexes from Splunk 4 to Splunk 6?

Contributor

I know this is probably a longshot, but is it possible to create a new summary index in our splunk 4 cluster with data run from a backfill script, the past year? Once the backfill is complete, is it possible to then migrate this splunk 4 summary index over to our splunk 6 indexers? I recall it's possible to migrate old indexes over but you lose the replication ability on that index. If we have the summary data migrated, that would be great. It would be fine if things like replication, report acceleration do not work with the migrated data.

Also, we have more indexers in the splunk 4 cluster vs the splunk 6 cluster. What would be the best way to merge two old splunk 4 summary indexes into one splunk 6 summary index?

1 Solution

Communicator

In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).

Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...

Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html

Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing

Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)

As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).

View solution in original post

Communicator

In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).

Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...

Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html

Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing

Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)

As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!