Thanks for the response.

we do not want downtime, please find the below steps on 

Old Splunk indexers

1. All the data is ingesting(storage path) in the default location  (/opt/splunk/var/lib/splunk)
2. Has CM

New Splunk Servers

1. Prepare 3 New indexers and a New CM

2. On New Indexers Storage path for Hot & warn data is

/splunk_hot and /splunk_cold

Plan for Migration from old to New (without down-time)

1. Build a New Cluster Master
2. Build 3 New Indexers with storage paths as (/splunk_hot and /Splunk_cold)
3. Create the symbolic link on the old Indexers with the same Name New indexers storage path ((/splunk_hot and /Splunk_cold)

Example : ln -s /opt/splunk/var/lib/splunk/…..    /splunk_hot (I am not sure here)

1. Change the path in config in indexes.conf on old Cluster Master

[volume_primary]

#Path = /opt/splunk/var/lib/splunk  (this is old path and it is committed)

Path = /splunk_hot

[volume_cold]

#Path = /opt/splunk/var/lib/splunk  (this is old path and it is committed)

Path = /splunk_cold

1. Push the bundle from the old CM.
2. Join the New indexer server to the old CM. (This will sync the data)
3. Wait till all the data is sync
4. Move the Old CM config to New Cluster Master
5. Shutdown the old CM
6. Last step make the old indexers offline enforce count.

I am Struck here

I want to create a symbolic link on old indexers servers, how could I create and point the hot data to move in /splunk_hot  and colddb  to /splunk_cold

I can see in the old indexers they are lots on index available (like windows,Linux,security,waf,firewall)

Hi @mshakeb,

having an Indexer Cluster, the best solution is adding three new Indexers to the old CM using RF=3 and SF=3, in this way, after some time) in the new three Indexers you will have a complete set of data.

When data will be replicated in the new indexers, remove, one by one the three old Indexers, then change RF and SR as original.

At least replace the CM following the documentation.

Plan with much attention these activities!

Ciao.

Giuseppe