@SN1 

If you're moving the entire instance (including historical data, configs, and users) from one machine to another:

Migrate a Splunk Enterprise instance from one physical machine to another | Splunk Docs

Restore Archived Indexed Data (Bucket-Level Transfer):

If you want to move specific historical data (e.g., cold/frozen buckets) to another instance:

Restore archived indexed data | Splunk Docs

You can copy bucket files into the thaweddb directory of the target index on the new instance. This is ideal for selective historical data recovery.

Hi @SN1 ,

let me understand: you have two stand alone Splunk servers and you want to send data of an index from the second to the first, is it correct?

if this is your requirement, the first question should be why?

but anyway, I need other two information for your solution:

• is there another Heavy forwarder forwarding these logs?
• do you want to forward all the data or only the ones of one index?

if logs passing through another Splunk full instance (Heavy Forwarder), you have to work on it otherwise on the ServerB.

You have to create a fork following the instructions at https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/... 

if you want to forward all logs, you can configure forwarding and receiving [Settings > Forwarding and Receiving > Forwarding] with the option "Index and forwardiung", in this way you forward all logs maintaining a local copy of them, for more information see at https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/... 

If instead you want to forward only a subset of data you have to use the configurations at https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/... 

Ciao.

Giuseppe

Hi @SN1 

Can you confirm - is this historic data that has already been indexed, or new data which is being received currently?

If you are currently receiving data into A and want to send to B then check out https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/...

If you are looking to move old indexes from A to B then the easiest way is to copy the buckets from one system to the other, if they are both standalone instances with unique GUID then this should be fine - just make sure you define the indexes in indexes.conf 🙂

Check out https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.4/upgrade-or-migrate-...for more information on how to migrate from one to the other.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing