Moving data in indexers (clustered environment) to...

cirkit1 · ‎05-01-2014

Have a clustered environment of 3 indexers. Data in the indexers was used to test full architecture capability.

dont need the data anymore in the indexers as would like to start off with clean slate on indexers.

Would like to move existing data to a frozen bucket, as we been told repeatedly it is not a good idea to delete indexer data.

Looking for recommendation on best path and feasibility.

lguinn2 · ‎05-03-2014

You could do it this way:

Make sure that no inputs.conf is sending data to that index. Generally, it is okay to downsize an index while it is still being used, but the settings you will use here are pretty extreme. And you are deleting the index in the last step.
Make sure that you have specified a coldToFrozenDir - it can be anywhere that you like
Set the frozenTimePeriodInSecs to a small value like 86400 (1 day).
Wait until the time period is up.
Use this search | dbinspect index=yourindex span=7d to check that you do not have any buckets with data in them. You should still have hot buckets, but the event count should be zero.
Archive everything in the frozen directory.
Delete the directory containing the index (its location is specified in indexes.conf)
Delete the index stanza from indexes.conf.

[yourindex]
...
frozenTimePeriodInSecs=86400
coldToFrozenDir=/tmp/directoryforfrozenbuckets

Moving data in indexers (clustered environment) to frozen bucket