Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you give me some advice on upgrading and deploying?

quahfamili
Path Finder
‎12-21-2018 12:45 AM

Hi all,

My current splunk setup is a pre-processing system forwarding to one system. That system is a search head and indexer. I offloaded some processing to the heavy forwarder. However, as the data grew, the search became slower and storage lowered.

I need some advice.

I have secured some funds to get 2 new systems. I intend to re-setup my Splunk server to the following configuration. 1 pre-proc, 2 indexers and 1 search head (current indexer+search head). However, I do not know how to move the indexes to the other system and continue to let the system perform as usual.

Please advise.

Labels (4)
0 Karma
Reply

CarsonZa
Contributor
‎12-21-2018 09:54 AM

i would make sure to read this

How to move index buckets from one host to another
If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual
buckets of an index between hosts, as long as:

When you copy individual bucket files, you must make sure that no bucket IDs conflict on the new system. Otherwise, Splunk
Enterprise does not start. You might need to rename individual bucket directories after you move them from the source system to
the target system.
Roll any hot buckets on the source host from hot to warm.
Review indexes.conf on the old host to get a list of the indexes on that host.
On the target host, create indexes that are identical to the ones on the source system.
Copy the index buckets from the source host to the target host.
Restart Splunk Enterprise.

use robo copy for windows

rsync if you're using Linux

0 Karma
Reply

woodcock
Esteemed Legend
‎12-21-2018 09:40 AM

This is a complicated, fragile, and considerably custom process which is generally done by PS. We have done this for several clients.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...