Can you give me some advice on upgrading and deploying?

Path Finder

Hi all,

My current splunk setup is a pre-processing system forwarding to one system. That system is a search head and indexer. I offloaded some processing to the heavy forwarder. However, as the data grew, the search became slower and storage lowered.

I need some advice.

I have secured some funds to get 2 new systems. I intend to re-setup my Splunk server to the following configuration. 1 pre-proc, 2 indexers and 1 search head (current indexer+search head). However, I do not know how to move the indexes to the other system and continue to let the system perform as usual.

Please advise.

Labels (4)
0 Karma


i would make sure to read this

How to move index buckets from one host to another
If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual
buckets of an index between hosts, as long as:

When you copy individual bucket files, you must make sure that no bucket IDs conflict on the new system. Otherwise, Splunk
Enterprise does not start. You might need to rename individual bucket directories after you move them from the source system to
the target system.
Roll any hot buckets on the source host from hot to warm.
Review indexes.conf on the old host to get a list of the indexes on that host.
On the target host, create indexes that are identical to the ones on the source system.
Copy the index buckets from the source host to the target host.
Restart Splunk Enterprise.

use robo copy for windows

rsync if you're using Linux

0 Karma

Esteemed Legend

This is a complicated, fragile, and considerably custom process which is generally done by PS. We have done this for several clients.

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...