Installation

How to to search across clustered and stand-alone indexers

stefandagerman
Path Finder

Assuming you have an established Splunk infrastructure with one or more indexers and everything is happily humming along. Now you have decided to take advantage of the V5 index cluster feature and create a new index cluster with the search and replication factors that satisfy your availability needs. But you still have good historic data in your standalone indexers that you want to be considered when searching data now indexed by your cluster.

Since it is not possible to setup a search head such that it uses clustered and non-clustered indexes at the same time, how can you make that work?

PS: Sorry for the misleading question title... 😉

1 Solution

stefandagerman
Path Finder

Since you cannot search across a mixed indexer environment (clustered and non-clustered), you will have to create a one-node cluster.

Here are the required steps:

  1. Stop forwarding any new data to the standalone indexer
  2. If your standalone indexer is pre-V5, upgrade to V5
  3. In the standalone indexer with historic data, install another instance of Splunk (change default ports as needed)
  4. Configure this new instance as a cluster master (Let's call it CM_Historic). Set RF and SF = 1
  5. Configure your standalone indexer to be part of CM_Historic. Now you've successfully setup the 1-node cluster
  6. Go to your SH and configure the server .conf to search across both the clusters (CM_Historic and CM_Current, which is your shiny new cluster that receives all the new data).
  7. Once your historic data has aged out, you can remove CM_Historic from server.conf and decommission the server

Hope this helps folks facing a similar situation.

View solution in original post

ducaandr
Engager

This functionality is now available in V6.1. The Term being Hybrid Search

http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Configurehybridsearch

Steve_G_
Splunk Employee
Splunk Employee

Although you can't search across an environment consisting of clustered and non-clustered indexers, there is another way to combine legacy and clustered data, which might work for you depending on your environment.

If you convert the non-clustered indexer into a cluster peer, the search head can search the legacy data on that indexer and combine it with the clustered data.

See http://docs.splunk.com/Documentation/Splunk/5.0.1/Indexer/Migratenon-clusteredindexerstoaclustereden...

stefandagerman
Path Finder

True, if you are wiling to accept that your previously non-clustered indexer is a candidate for receiving new data as part of satisfying replication requirements for indices defined in the cluster and don't want to retire the non-clustered node.

The goal for the approach outlined above - even if I failed explicitly stating it - was to enable migration to a clustered environment while preserving access to historical data until it ages out without adding new data to the indexer hosting it. I definitely could have been clearer about that. 🙂

0 Karma

stefandagerman
Path Finder

Since you cannot search across a mixed indexer environment (clustered and non-clustered), you will have to create a one-node cluster.

Here are the required steps:

  1. Stop forwarding any new data to the standalone indexer
  2. If your standalone indexer is pre-V5, upgrade to V5
  3. In the standalone indexer with historic data, install another instance of Splunk (change default ports as needed)
  4. Configure this new instance as a cluster master (Let's call it CM_Historic). Set RF and SF = 1
  5. Configure your standalone indexer to be part of CM_Historic. Now you've successfully setup the 1-node cluster
  6. Go to your SH and configure the server .conf to search across both the clusters (CM_Historic and CM_Current, which is your shiny new cluster that receives all the new data).
  7. Once your historic data has aged out, you can remove CM_Historic from server.conf and decommission the server

Hope this helps folks facing a similar situation.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...