Assuming you have an established Splunk infrastructure with one or more indexers and everything is happily humming along. Now you have decided to take advantage of the V5 index cluster feature and create a new index cluster with the search and replication factors that satisfy your availability needs. But you still have good historic data in your standalone indexers that you want to be considered when searching data now indexed by your cluster.
Since it is not possible to setup a search head such that it uses clustered and non-clustered indexes at the same time, how can you make that work?
PS: Sorry for the misleading question title... 😉
Since you cannot search across a mixed indexer environment (clustered and non-clustered), you will have to create a one-node cluster.
Here are the required steps:
Hope this helps folks facing a similar situation.
This functionality is now available in V6.1. The Term being Hybrid Search
http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Configurehybridsearch
Although you can't search across an environment consisting of clustered and non-clustered indexers, there is another way to combine legacy and clustered data, which might work for you depending on your environment.
If you convert the non-clustered indexer into a cluster peer, the search head can search the legacy data on that indexer and combine it with the clustered data.
True, if you are wiling to accept that your previously non-clustered indexer is a candidate for receiving new data as part of satisfying replication requirements for indices defined in the cluster and don't want to retire the non-clustered node.
The goal for the approach outlined above - even if I failed explicitly stating it - was to enable migration to a clustered environment while preserving access to historical data until it ages out without adding new data to the indexer hosting it. I definitely could have been clearer about that. 🙂
Since you cannot search across a mixed indexer environment (clustered and non-clustered), you will have to create a one-node cluster.
Here are the required steps:
Hope this helps folks facing a similar situation.