We currently have a single Splunk server with a large storage array. We're in the process of building out a new Splunk 5 cluster. What's the best process for getting my old data into the new cluster? Do I make the cluster a license slave of the old server and then just enable forwarding on the old server to the new cluster? Will that cause all of my old indexed data to migrate to the new cluster without blowing through the license?
You can add your existing indexer to the cluster as a peer, but note that the cluster will not replicate any index buckets that already exist on that indexer. There is a documentation topic in the Managing Indexers and Clusters manual that talks about this.
I've accomplished this "provide access to legacy data while implementing new cluster" goal by creating a separate "cluster of one", with replication factor of 1, searchable factor of 1 containing just the legacy indexer(s). The search head then refers to both cluster masters. The legacy indexer doesn't receive any data, but will participate in searches until it is retired.
Note that placing an existing indexer in a cluster with RF > 1 may result in data being replicated to it. If the goal is to retire the old hardware, the separate cluster approch is probably your best bet.
There are no major changes to this aspect of clustering in Splunk Enterprise 6.0. From that same documentation topic: You can add a non-clustered indexer to a cluster (as a peer node) at any time. To do so, just enable the indexer as a peer, then it participates in the cluster the same as any other peer. Any new data coming into the peer gets replicated according to the replication factor, and the peer is also a candidate for receiving replicated data from other peers. Data already on the indexer does not get automatically replicated, but it does participate in searches.