Installation

How to migrate all indexed data from an old Splunk instance to a new Splunk environment?

ameslet
Explorer

Hi,

I would like to recover all the data from an old Splunk instance in order to put it in my new Splunk architecture (2 Indexers and a master also used as a search head). My question is: How to do that? I have read that the indexed data is located in the defaultdb directory. Are there any other files I should copy so that the previous data appears on my new Splunk? Do I have to copy these files in both indexers' directories and master directories?

Thanks you in advance for any advice.

Labels (1)
0 Karma
1 Solution

ddrillic
Ultra Champion

Migrate a Splunk Enterprise instance

explains the process.

About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.

And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:

  • The source and target hosts have the same endianness.
  • You are not trying to restore a bucket created by a 4.2 or later version of Splunk Enterprise to a version less than 4.2.

View solution in original post

0 Karma

rita201
Loves-to-Learn

please can you give straight steps and naming conversion how the buckets indexes from source to target should like like during migration process?

0 Karma

marisstella
Explorer
0 Karma

ddrillic
Ultra Champion

Migrate a Splunk Enterprise instance

explains the process.

About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.

And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:

  • The source and target hosts have the same endianness.
  • You are not trying to restore a bucket created by a 4.2 or later version of Splunk Enterprise to a version less than 4.2.
0 Karma

ameslet
Explorer

Thank you for your answer. I have checked the process described on the documentation. I was wondering, as I have to migrate and update a Splunk instance, I won't be able to monitor any devices during the time I stop my old splunk and launch the new one. Is there a way I can get these data ?

Thanks for the help

0 Karma

ameslet
Explorer

Do I have to install the same version than my old Splunk in a first place and then update it ?

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...