Installation

How to migrate Splunk by changing the existing instance to become forwarder/secondary indexer?

quahfamili
Path Finder

Hi all,

I had a Splunk instance that used to be ingesting data local data and hence it is the indexer as well as the search head.

I'm thinking of using it as a backup(duplicating)/secondary indexer and forward the data to a new server (migrated server with duplicated data).

Is it possible to do this? What is the step I need to take?

Thanks in advance.

Labels (2)
Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"

Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.

What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"

Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.

What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.

If my comment helps, please give it a thumbs up!

quahfamili
Path Finder

Hi @nickhillscpl

I would want to ask you :

You mentioned "When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden."

How do I actually do it? Do i just changed the license to forwarder license, so it would not consume my data ingest limit?

0 Karma

adonio
Ultra Champion

hello there,

everything is possible, what is it that you would like to accomplish?
do you need backup? if you can keep the data and the server (old indexer) no need to forward it to a new insatnce.
install splunk on new server, add the old server as a search pear to the new splunk server. read here:
https://docs.splunk.com/Documentation/Splunk/7.0.1/DistSearch/Configuredistributedsearch
ad you are ready to rock and roll

hope it helps

0 Karma

quahfamili
Path Finder

Hi I want the older server to remain and forward the events to a new server, so there is a duplicate of server.

The issue here is that the old server is very slow but I want to keep it until everything is stablised before shutting the index. The older server will remain to process some file and forward to the newer server but not indexing anymore.

Possible? How?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...