I have seen an answer to part of my question (whether I can copy the contents of an index to another server) in the answer below:
But I have a further query on this: Is it possible to migrate the data from an old server under a certain index (eg. defaultdb) to a new server into a different index (say eg. migrateddb)?
Does the indexed data in the buckets (eg. /opt/splunk/var/lib/splunk/defaultdb/db/db13185900871318108850_7491) contain anything that ties them to that specific defaultdb index name?
I would suspect not but I'm intrigued to know now - hadn't thought of that before 🙂
There is no information about the index in the buckets, you can migrate a bucket manually to a :
Recommendations are :
Some extra details on the migration of indexes to a new indexer.
If you just want to move your indexed data from the old standalone indexer to a new indexer cluster, this is an easy procedure of copying files.
Usually the indexes to migrate are :
- main ($SPLUNKHOME/var/lib/splunk/defaultdb on the disk by default)
- summary ($SPLUNKHOME/var/lib/splunk/summary on the disk by default)
and any other custom indexes you may have.
first create the indexes on the new indexers and start splunk once (to create the folders)
For each index you want to migrate, you will find buckets folders in the /db and /colddb folders that you will have to copy to the new location (or distributed them one by one on a different indexer to distribute the volume).
Bucket folder names are db**
You may not need to do anything if the destination indexes are empty. But if you are merging buckets from indexes, or splitting then over several indexers, you want to avoid duplicated of the id. The easy way is to increment the id in a range higher than the existing ones.
In case of duplicate id, a warming will be recorded in splunkd.log at start and the index will be disabled. If it happens, just fix the id, re-enable the index and start/
That's the easy part. The hard part is moving from one index cluster to another.
How would we move indexed data from a large production index cluster to a smaller development index cluster. The idea here is to be able to make changes in a lower environment before modifying production. Especially with Enterprise Security, we would make changes, see the impact, (e.g. did it work, what did it do to the indexer host, etc), then copy those changes to production.
So we would want to copy indexes from one cluster to another, but only a subset; maybe 90 days worth?
Is there a documented process for this/