Installation

How to migrate indexes to new indexer instance?

jfeitosa_real
Path Finder

I have a scenario, in which I have an indexer instance with 2TB in / opt, but it is 92% full.

What is the most efficient and safe way to migrate the indexes to a new instance or a new partition?

Thanks in advance.

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust
How I have done those?
- setup new host
- rsync (1st - Nth time) data + configs
- yum install splunk
- test with new version w/o alarms, emails etc.
- stop old
- final rsync with delete option
- start new

Until no, this has worked as expected

View solution in original post

0 Karma

jfeitosa_real
Path Finder

Perfect @soutamo 
That is the suggestion I made as well.
But to migrate to the new partition, I have doubts about the steps.Perfect.
That is the suggestion I made as well.
But to migrate to the new partition, I have doubts about the steps.

 

Thanks

0 Karma

isoutamo
SplunkTrust
SplunkTrust
How I have done those?
- setup new host
- rsync (1st - Nth time) data + configs
- yum install splunk
- test with new version w/o alarms, emails etc.
- stop old
- final rsync with delete option
- start new

Until no, this has worked as expected
0 Karma

jfeitosa_real
Path Finder

Ok, after compiling the indexes for the new partition, it is necessary to change the notes, the paths of the indexes in indexes.conf.
I will try this.

Thanks.

0 Karma

jfeitosa_real
Path Finder

Hi @isoutamo 

The issue is that the provisioned disk was made with Raid10, that is, it has 4 partitions of 1TB, but only available 2TB for / opt.

[root @ Hostname] # lsblk
NAME MAJ: MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259: 5 0 50G 0 disk
├─nvxy0n1p1 259: 6 0 1M 0 part
└─nvxy0n1p2 259: 7 0 50G 0 part /
nvxy1n1 259: 0 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy2n1 259: 1 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy3n1 259: 2 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy4n1 259: 3 0 1000G 0 disk
└─md0 9: 0 0 2T 0 raid10 / opt
nvxy5n1 259: 4 0 40G 0 disk

[root @ Hostname] # df -kh
Filesystem Size Used Avail Use% Mounted on
devtmpfs 7.6G 0 7.6G 0% / dev
tmpfs 7.6G 0 7.6G 0% / dev / shm
tmpfs 7.6G 377M 7.2G 5% / run
tmpfs 7.6G 0 7.6G 0% / sys / fs / cgroup
/ dev / nvxy0n1p2 50G 3.0G 48G 6% /
/ dev / md0 2.0T 1.7T 162G 92% / opt
tmpfs 1.6G 0 1.6G 0% / run / user / 1000

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi
Basically it depends are there need to e.g. refresh your hardware and/or os. If there is then the easiest way is to rsync /opt/splunk from old server and if it has installed from rpm/apt then install it over copied content.
You could find exact commands to do quite easily from answers by google.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...