Installation

How to migrate all indexed data from an old Splunk instance to a new Splunk environment?

ameslet
Explorer

Hi,

I would like to recover all the data from an old Splunk instance in order to put it in my new Splunk architecture (2 Indexers and a master also used as a search head). My question is: How to do that? I have read that the indexed data is located in the defaultdb directory. Are there any other files I should copy so that the previous data appears on my new Splunk? Do I have to copy these files in both indexers' directories and master directories?

Thanks you in advance for any advice.

Labels (1)
0 Karma
1 Solution

ddrillic
Ultra Champion

Migrate a Splunk Enterprise instance

explains the process.

About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.

And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:

  • The source and target hosts have the same endianness.
  • You are not trying to restore a bucket created by a 4.2 or later version of Splunk Enterprise to a version less than 4.2.

View solution in original post

0 Karma

rita201
Loves-to-Learn

please can you give straight steps and naming conversion how the buckets indexes from source to target should like like during migration process?

0 Karma

marisstella
Explorer
0 Karma

ddrillic
Ultra Champion

Migrate a Splunk Enterprise instance

explains the process.

About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.

And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:

  • The source and target hosts have the same endianness.
  • You are not trying to restore a bucket created by a 4.2 or later version of Splunk Enterprise to a version less than 4.2.
0 Karma

ameslet
Explorer

Thank you for your answer. I have checked the process described on the documentation. I was wondering, as I have to migrate and update a Splunk instance, I won't be able to monitor any devices during the time I stop my old splunk and launch the new one. Is there a way I can get these data ?

Thanks for the help

0 Karma

ameslet
Explorer

Do I have to install the same version than my old Splunk in a first place and then update it ?

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...