Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Move data from old Splunk 6.3.2 to New Splunk 8.1.3 help

akballow
New Member
‎07-09-2021 03:37 PM

Hello everyone, 

I have been trying to move data from my old 6.3.2 splunk to the new 8.1.3 splunk which is empty.

 

I tried to first do a search "*" and downloaded everything which is 16gb. I then used the new splunk web gui monitor import which did take all the data, but it only had one host, source, and source type.

The original splunk had 3 index names, 2 hosts sending data, and many sources and source types.

How can i move the data so that search results show the same as it did in the original splunk?

Is there a way to export everything to match exactly? I am having a hard time determining how to move these items.


Both the new and old splunk have 1 search head, 2 indexers, and one master. I am not familair in how I can copy the index folder method either. Hopefully someone can guide me in how I can move the data in place keeping all the hosts, source, sourcetypes, etc.

Thanks

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-09-2021 11:13 PM

Hi @akballow,

one question: have you already data on the new installation?

if not, you can copy the indexes folders in the new installation (obviously when Splunk is not running) and you have the data in the new installation, you have only to put attention to the folder location in indexes.conf.

Otherwise, you have to extract the data with the following annoying procedure:

  • analyze if in your searches are relevant source and host fields,
  • if not:
    • extract data in raw format for each sourcetype and index you have (index=index1 sourcetype=sourcetype1),
    • annotate for each extraction index and sourcetype,
  • if yes:
    • extract data in raw format for each sourcetype, index, host and source you have (index=index1 sourcetype=sourcetype1 source=source1 host=host1),
    • annotate for each extraction index, sourcetype, host and source,
  • upload one by one the data in the new system using the above information.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...