I have an index on server-a called wifi
that data is going into continuously. I want to move that index onto server-b. There is currently only one input coming into the index.
My plan is
wifi
on server-b
server-b
server-a
to warmserver-a:$SPLUNK_DB/wifi
to server-b:$SPLUNK_DB/wifi
Is there any chance of bucket collision?
Agree with dgrubb. This is not recommended as you can cause bucket collision.
The safest way is obviously by cutting the data input from the forwarder to the indexer. If your copy won't take too long (how large is the index currently?), this might be the easiest way. Your forwarder can queue the data for a while, before it looses data. If you like, you can enlarge the forwarders queue to make sure that it won't overflow. Fire it up as soon as you're done copying, and you should be allright.
I agree with dgrubb and renems - to avoid bucket conflict, you should turn on indexer acknowledgment on your forwarders and queue the data there while you make the move. See Protect against loss of in-flight data in the Forwarding Data manual.
When you make the move, follow the procedure in the Managing Indexers and Clusters of Indexers manual: Move the index database.
Agree with dgrubb. This is not recommended as you can cause bucket collision.
The safest way is obviously by cutting the data input from the forwarder to the indexer. If your copy won't take too long (how large is the index currently?), this might be the easiest way. Your forwarder can queue the data for a while, before it looses data. If you like, you can enlarge the forwarders queue to make sure that it won't overflow. Fire it up as soon as you're done copying, and you should be allright.
Since Server B will be ingesting data and creating buckets prior to your move of buckets from server a, I would say the potential to have a bucket conflict is still there.