Solved: Issue with indexed data while moving to new instan...

vnravikumar · ‎12-15-2020

Hi

I moved the Splunk server(ver.8.0.2 stand alone) into a new instance by copying the entire setup(/opt/splunk). Both are running in Centos7 but the issue is when I started the server in a new instance all the data(till yesterday) got removed from the indexes and the server contains only today's data. What could be wrong? I moved the entire setup. Need your help here. Or at least how to restore from /opt/splunk/var/lib/.

Thanks,

saravanan90 · ‎12-15-2020

If we are migrating standalone instance then above will surely work. Once it is moved, need to update the host in /opt/splunk/etc/system/local/inputs.conf. Check the index files /opt/splunk/var/lib/splunk/$indexname$/db/ are present before & after restarting in new instance.

View solution in original post

saravanan90 · ‎12-15-2020

If we are migrating standalone instance then above will surely work. Once it is moved, need to update the host in /opt/splunk/etc/system/local/inputs.conf. Check the index files /opt/splunk/var/lib/splunk/$indexname$/db/ are present before & after restarting in new instance.

vnravikumar · ‎12-16-2020

Thank you.

Issue with indexed data while moving to new instance

indexer

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?