Getting Data In

Move index from one server to another

joxley
Path Finder

I have an index on server-a called wifi that data is going into continuously. I want to move that index onto server-b. There is currently only one input coming into the index.

My plan is

  • Create index wifi on server-b
  • Point the input to server-b
  • Roll index on server-a to warm
  • Copy server-a:$SPLUNK_DB/wifi to server-b:$SPLUNK_DB/wifi

Is there any chance of bucket collision?

1 Solution

renems
Communicator

Agree with dgrubb. This is not recommended as you can cause bucket collision.
The safest way is obviously by cutting the data input from the forwarder to the indexer. If your copy won't take too long (how large is the index currently?), this might be the easiest way. Your forwarder can queue the data for a while, before it looses data. If you like, you can enlarge the forwarders queue to make sure that it won't overflow. Fire it up as soon as you're done copying, and you should be allright.

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

I agree with dgrubb and renems - to avoid bucket conflict, you should turn on indexer acknowledgment on your forwarders and queue the data there while you make the move. See Protect against loss of in-flight data in the Forwarding Data manual.

When you make the move, follow the procedure in the Managing Indexers and Clusters of Indexers manual: Move the index database.

renems
Communicator

Agree with dgrubb. This is not recommended as you can cause bucket collision.
The safest way is obviously by cutting the data input from the forwarder to the indexer. If your copy won't take too long (how large is the index currently?), this might be the easiest way. Your forwarder can queue the data for a while, before it looses data. If you like, you can enlarge the forwarders queue to make sure that it won't overflow. Fire it up as soon as you're done copying, and you should be allright.

dgrubb_splunk
Splunk Employee
Splunk Employee

Since Server B will be ingesting data and creating buckets prior to your move of buckets from server a, I would say the potential to have a bucket conflict is still there.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...