Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Migrating Indexed data to different splunk instance

Gowtham0809
New Member
‎11-21-2019 01:39 AM

Hello

Is it possible to migrate indexed data from one Splunk instance to another splunk instance.

I have a few indexes which have been holding data for a few years and now I need to move this to a different spunk instance. New Splunk instance completely new environment without any of the old indexes created in it

Thanks,

0 Karma
Reply

woodcock
Esteemed Legend
‎11-21-2019 07:30 AM

It is easy if the new system has no data; just rsync the entire directory structures for the indexed data over.

If the old system has data for the same index values, you need to understand the meaning of the <indexname>.dat file and you may need to modify bucket IDs. A bucket looks like this db_1571769855_1571338901_193 The _193 is the bucket ID. This is arbitrary (except for the value in <indexname>.dat) and must be unique within any index (across both warm and cold directories). If you have two ..._123 buckets, one of them will have to be renamed. The trick is that the value in <indexname>.dat is the next available incrementalbucket ID` value for that index. You need to make sure that as you are reconciling conflicts and consuming higher numbers, that you also bump up that number.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2019 02:22 AM

Hi @Gowtham0809,
yes it's possible to migrate data from a Splunk instance to another.
There are two situations:

  1. If in the same index of the new instance you haven't data;
  2. If in the same index of the new instance you already have data.

In the first case, you can follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Moveanindex and move indexes from the old instance to the new one.

In the second case, the easier approach is to export data in row format (e.g. using a search index=my_index and export data)
and reindexing them in the new instance.
Put attention when you export data that you are exporting all the data ( https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/ExportdatausingSplunkWeb ).

Obviously you'll exceed your license for a day, but usually it isn't a problem, anyway put attention if you have other exceedings in the last 30 days to avoid license violations.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top