Hi all,
I had a Splunk instance that used to be ingesting data local data and hence it is the indexer as well as the search head.
I'm thinking of using it as a backup(duplicating)/secondary indexer and forward the data to a new server (migrated server with duplicated data).
Is it possible to do this? What is the step I need to take?
Thanks in advance.
On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"
Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.
What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.
On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"
Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.
What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.
Hi @nickhillscpl
I would want to ask you :
You mentioned "When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden."
How do I actually do it? Do i just changed the license to forwarder license, so it would not consume my data ingest limit?
hello there,
everything is possible, what is it that you would like to accomplish?
do you need backup? if you can keep the data and the server (old indexer) no need to forward it to a new insatnce.
install splunk on new server, add the old server as a search pear to the new splunk server. read here:
https://docs.splunk.com/Documentation/Splunk/7.0.1/DistSearch/Configuredistributedsearch
ad you are ready to rock and roll
hope it helps
Hi I want the older server to remain and forward the events to a new server, so there is a duplicate of server.
The issue here is that the old server is very slow but I want to keep it until everything is stablised before shutting the index. The older server will remain to process some file and forward to the newer server but not indexing anymore.
Possible? How?