Can you give me some advice on upgrading and deplo...

quahfamili · ‎12-21-2018

Hi all,

My current splunk setup is a pre-processing system forwarding to one system. That system is a search head and indexer. I offloaded some processing to the heavy forwarder. However, as the data grew, the search became slower and storage lowered.

I need some advice.

I have secured some funds to get 2 new systems. I intend to re-setup my Splunk server to the following configuration. 1 pre-proc, 2 indexers and 1 search head (current indexer+search head). However, I do not know how to move the indexes to the other system and continue to let the system perform as usual.

Please advise.

CarsonZa · ‎12-21-2018

i would make sure to read this

How to move index buckets from one host to another
If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual
buckets of an index between hosts, as long as:

When you copy individual bucket files, you must make sure that no bucket IDs conflict on the new system. Otherwise, Splunk
Enterprise does not start. You might need to rename individual bucket directories after you move them from the source system to
the target system.
Roll any hot buckets on the source host from hot to warm.
Review indexes.conf on the old host to get a list of the indexes on that host.
On the target host, create indexes that are identical to the ones on the source system.
Copy the index buckets from the source host to the target host.
Restart Splunk Enterprise.

use robo copy for windows

rsync if you're using Linux

woodcock · ‎12-21-2018

This is a complicated, fragile, and considerably custom process which is generally done by PS. We have done this for several clients.

Can you give me some advice on upgrading and deploying?

heavy forwarder

indexer

search head

upgrade

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!