Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to migrate old data from a single Splunk server to a new cluster?

responsys_cm
Builder
‎07-01-2013 12:10 PM

Is there any way to point my old Splunk server at the new cluster and have it forward all of my previously indexed events to the cluster so that they are evenly distributed across the nodes and can take advantage of replication?

Splunk support says no. They say I can sync my old indexes to a single node of the cluster, but they won't take advantage of replication. I can have my search head run distributed searches on the old Splunk server, but then my old data won't get to take advantage of the new hardware in the cluster.

Has anyone in the community figured out a smart way to do this? Is there no way to tell an old indexer to forward all of its indexes to a new cluster?

Thx.

Craig

Tags (2)
0 Karma
Reply

arindam_sur
New Member
‎05-29-2015 06:23 AM

Hi,

I have similar trouble. I have my old data in an Indexer and I want to make this indexer as one the 2 peer nodes in the cluster. Once I introduce a master node to this cluster of old and new indexer, will the old data on the old indexer be replicated to the new one and get me search capabilities on both nodes for the old data?

Thanks,
Arindam

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎07-01-2013 07:55 PM

I'm going to have to go with Support on this one. If your retention time isn't terribly long, I'd just set the old server as a search peer of the new cluster. Once the indexes expire, decommission the old server. Otherwise, I'd go with their first suggestion and copy the indexes over.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...