Hi,
I would like to recover all the data from an old Splunk instance in order to put it in my new Splunk architecture (2 Indexers and a master also used as a search head). My question is: How to do that? I have read that the indexed data is located in the defaultdb directory. Are there any other files I should copy so that the previous data appears on my new Splunk? Do I have to copy these files in both indexers' directories and master directories?
Thanks you in advance for any advice.
Migrate a Splunk Enterprise instance
explains the process.
About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.
And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:
please can you give straight steps and naming conversion how the buckets indexes from source to target should like like during migration process?
Go through it :. https://wiki.splunk.com/Community:MoveIndexes
Migrate a Splunk Enterprise instance
explains the process.
About the buckets. It says under 'Bucket IDs and potential bucket collision' -
-- If you migrate a Splunk Enterprise instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs that do not collide. Splunk Enterprise does not start if it encounters indexes with buckets that have colliding bucket IDs. When you copy index data, you might need to rename the copied bucket files to prevent this condition.
And this bucket transfer is 'legal' -
-- If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as:
Thank you for your answer. I have checked the process described on the documentation. I was wondering, as I have to migrate and update a Splunk instance, I won't be able to monitor any devices during the time I stop my old splunk and launch the new one. Is there a way I can get these data ?
Thanks for the help
Do I have to install the same version than my old Splunk in a first place and then update it ?