Installation

How to migrate all indexed data from an old Splunk instance to a new Splunk environment?

ameslet
Explorer

Hi,

I would like to recover all the data from an old Splunk instance in order to put it in my new Splunk architecture (2 Indexers and a master also used as a search head). My question is: How to do that? I have read that the indexed data is located in the defaultdb directory. Are there any other files I should copy so that the previous data appears on my new Splunk? Do I have to copy these files in both indexers' directories and master directories?

Thanks you in advance for any advice.

Labels (1)
0 Karma
1 Solution

ddrillic
Ultra Champion

Migrate a Splunk Enterprise instance

explains the process.

About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.

And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:

  • The source and target hosts have the same endianness.
  • You are not trying to restore a bucket created by a 4.2 or later version of Splunk Enterprise to a version less than 4.2.

View solution in original post

0 Karma

rita201
Loves-to-Learn

please can you give straight steps and naming conversion how the buckets indexes from source to target should like like during migration process?

0 Karma

marisstella
Explorer
0 Karma

ddrillic
Ultra Champion

Migrate a Splunk Enterprise instance

explains the process.

About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.

And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:

  • The source and target hosts have the same endianness.
  • You are not trying to restore a bucket created by a 4.2 or later version of Splunk Enterprise to a version less than 4.2.
0 Karma

ameslet
Explorer

Thank you for your answer. I have checked the process described on the documentation. I was wondering, as I have to migrate and update a Splunk instance, I won't be able to monitor any devices during the time I stop my old splunk and launch the new one. Is there a way I can get these data ?

Thanks for the help

0 Karma

ameslet
Explorer

Do I have to install the same version than my old Splunk in a first place and then update it ?

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...