Installation

How to migrate indexes to new indexer instance?

jfeitosa_real
Path Finder

I have a scenario, in which I have an indexer instance with 2TB in / opt, but it is 92% full.

What is the most efficient and safe way to migrate the indexes to a new instance or a new partition?

Thanks in advance.

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust
How I have done those?
- setup new host
- rsync (1st - Nth time) data + configs
- yum install splunk
- test with new version w/o alarms, emails etc.
- stop old
- final rsync with delete option
- start new

Until no, this has worked as expected

View solution in original post

0 Karma

jfeitosa_real
Path Finder

Perfect @soutamo 
That is the suggestion I made as well.
But to migrate to the new partition, I have doubts about the steps.Perfect.
That is the suggestion I made as well.
But to migrate to the new partition, I have doubts about the steps.

 

Thanks

0 Karma

isoutamo
SplunkTrust
SplunkTrust
How I have done those?
- setup new host
- rsync (1st - Nth time) data + configs
- yum install splunk
- test with new version w/o alarms, emails etc.
- stop old
- final rsync with delete option
- start new

Until no, this has worked as expected
0 Karma

jfeitosa_real
Path Finder

Ok, after compiling the indexes for the new partition, it is necessary to change the notes, the paths of the indexes in indexes.conf.
I will try this.

Thanks.

0 Karma

jfeitosa_real
Path Finder

Hi @isoutamo 

The issue is that the provisioned disk was made with Raid10, that is, it has 4 partitions of 1TB, but only available 2TB for / opt.

[root @ Hostname] # lsblk
NAME MAJ: MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259: 5 0 50G 0 disk
├─nvxy0n1p1 259: 6 0 1M 0 part
└─nvxy0n1p2 259: 7 0 50G 0 part /
nvxy1n1 259: 0 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy2n1 259: 1 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy3n1 259: 2 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy4n1 259: 3 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy5n1 259: 4 0 40G 0 disk

[root @ Hostname] # df -kh
Filesystem Size Used Avail Use% Mounted on
devtmpfs 7.6G 0 7.6G 0% / dev
tmpfs 7.6G 0 7.6G 0% / dev / shm
tmpfs 7.6G 377M 7.2G 5% / run
tmpfs 7.6G 0 7.6G 0% / sys / fs / cgroup
/ dev / nvxy0n1p2 50G 3.0G 48G 6% /
/ dev / md0 2.0T 1.7T 162G 92% / opt
tmpfs 1.6G 0 1.6G 0% / run / user / 1000

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi
Basically it depends are there need to e.g. refresh your hardware and/or os. If there is then the easiest way is to rsync /opt/splunk from old server and if it has installed from rpm/apt then install it over copied content.
You could find exact commands to do quite easily from answers by google.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...