Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Move data from old Splunk 6.3.2 to New Splunk 8.1.3 help

akballow
New Member
‎07-09-2021 03:37 PM

Hello everyone, 

I have been trying to move data from my old 6.3.2 splunk to the new 8.1.3 splunk which is empty.

 

I tried to first do a search "*" and downloaded everything which is 16gb. I then used the new splunk web gui monitor import which did take all the data, but it only had one host, source, and source type.

The original splunk had 3 index names, 2 hosts sending data, and many sources and source types.

How can i move the data so that search results show the same as it did in the original splunk?

Is there a way to export everything to match exactly? I am having a hard time determining how to move these items.


Both the new and old splunk have 1 search head, 2 indexers, and one master. I am not familair in how I can copy the index folder method either. Hopefully someone can guide me in how I can move the data in place keeping all the hosts, source, sourcetypes, etc.

Thanks

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-09-2021 11:13 PM

Hi @akballow,

one question: have you already data on the new installation?

if not, you can copy the indexes folders in the new installation (obviously when Splunk is not running) and you have the data in the new installation, you have only to put attention to the folder location in indexes.conf.

Otherwise, you have to extract the data with the following annoying procedure:

  • analyze if in your searches are relevant source and host fields,
  • if not:
    • extract data in raw format for each sourcetype and index you have (index=index1 sourcetype=sourcetype1),
    • annotate for each extraction index and sourcetype,
  • if yes:
    • extract data in raw format for each sourcetype, index, host and source you have (index=index1 sourcetype=sourcetype1 source=source1 host=host1),
    • annotate for each extraction index, sourcetype, host and source,
  • upload one by one the data in the new system using the above information.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...