Solved: Re: Migrating splunk by changing the existing splu...

quahfamili · ‎01-19-2018

Hi all,

I had a Splunk instance that used to be ingesting data local data and hence it is the indexer as well as the search head.

I'm thinking of using it as a backup(duplicating)/secondary indexer and forward the data to a new server (migrated server with duplicated data).

Is it possible to do this? What is the step I need to take?

Thanks in advance.

nickhills · ‎01-20-2018

On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"

Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.

What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎01-20-2018

On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"

Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.

What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.

If my comment helps, please give it a thumbs up!

quahfamili · ‎01-30-2018

Hi @nickhillscpl

I would want to ask you :

You mentioned "When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden."

How do I actually do it? Do i just changed the license to forwarder license, so it would not consume my data ingest limit?

adonio · ‎01-19-2018

hello there,

everything is possible, what is it that you would like to accomplish?
do you need backup? if you can keep the data and the server (old indexer) no need to forward it to a new insatnce.
install splunk on new server, add the old server as a search pear to the new splunk server. read here:
https://docs.splunk.com/Documentation/Splunk/7.0.1/DistSearch/Configuredistributedsearch
ad you are ready to rock and roll

hope it helps

quahfamili · ‎01-20-2018

Hi I want the older server to remain and forward the events to a new server, so there is a duplicate of server.

The issue here is that the old server is very slow but I want to keep it until everything is stablised before shutting the index. The older server will remain to process some file and forward to the newer server but not indexing anymore.

Possible? How?

How to migrate Splunk by changing the existing instance to become forwarder/secondary indexer?

indexer

search head

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation