Knowledge Management

Can I convert an indexer cluster into a single indexer without losing any data?

bestSplunker
Contributor

current Splunk architecture:

a standalone search head + an indexer cluster (contains three indexers)+ a cluster master node

I want to convert it into a distributed search with a search header + an indexer ? And without losing any data — how can I do that? I didn't find the answer in the official document.

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

Sorry @bestSplunker it seems the scope of your question changed. So no, a single indexer most likely doesn't contain all the data. To transform an indexer cluster into a single indexer you need to decommission one where indexer at a time so the cluster master will order the copy of buckets to the remaining machines in the cluster.

If you want one of the current indexers to contain all the buckets:

1 Choose one of the machines to be the remaining one.

2 Put the remaining two in detention mode so they won't be getting more data from replicstion process when you take decommission another peer: https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Peerdetention

3 decommission one peer at a time using Splunk offline enforce counts command so the buckets from that peer are copied to the one you elected as the remaining one after this whole process is finished. https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Takeapeeroffline

4 check on your cluster master when bucket fixing process has finished, meaning the necessary bucket replicstion happened to fulfill your Replication and Search factors.

When it is finished, repeat step 3 and 4 until you have one indexer only. It will have all the buckets and all will be searchable. Consider storage capacity for this.

5 remove the peers from the cluster until none is left (since you want only a single machine without any clustering activity)

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Removepeerfrommasterlist

Now you have an empty cluster and you can get rid of the cluster master and point the SH in distributed search like mentioned above

https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Overviewofconfiguration

View solution in original post

tiagofbmm
Influencer

Sorry @bestSplunker it seems the scope of your question changed. So no, a single indexer most likely doesn't contain all the data. To transform an indexer cluster into a single indexer you need to decommission one where indexer at a time so the cluster master will order the copy of buckets to the remaining machines in the cluster.

If you want one of the current indexers to contain all the buckets:

1 Choose one of the machines to be the remaining one.

2 Put the remaining two in detention mode so they won't be getting more data from replicstion process when you take decommission another peer: https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Peerdetention

3 decommission one peer at a time using Splunk offline enforce counts command so the buckets from that peer are copied to the one you elected as the remaining one after this whole process is finished. https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Takeapeeroffline

4 check on your cluster master when bucket fixing process has finished, meaning the necessary bucket replicstion happened to fulfill your Replication and Search factors.

When it is finished, repeat step 3 and 4 until you have one indexer only. It will have all the buckets and all will be searchable. Consider storage capacity for this.

5 remove the peers from the cluster until none is left (since you want only a single machine without any clustering activity)

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Removepeerfrommasterlist

Now you have an empty cluster and you can get rid of the cluster master and point the SH in distributed search like mentioned above

https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Overviewofconfiguration

tiagofbmm
Influencer

Alright that will be easier then. Just spin up a Splunk instance that will be your search head, and add your current one as a search peer in the distributed search menu of the search head. All the data will be searchable from the search head. Then you can disable the UI interface of the indexer.

Don't forget to forward all the data generated in your search head to the indexer so you can track everything about it

https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Overviewofconfiguration

0 Karma

tiagofbmm
Influencer

@bestSplunker if this solved your problem, please accept and upvote the answer

0 Karma

bestSplunker
Contributor

@tiagofbmm Are you sure it works? In an indexer cluster, if I separate one of the indexers from the indexer cluster, does the indexer hold all the complete data? Because I try to search for the same data in each indexer, different indexers in the indexer cluster will return different results. If the data is searched from the search header, it will be merged back to the search header.Therefore, in the indexer cluster, the data stored by each indexer is not complete, and it needs each indexer to return the merged results to the search header in order to provide complete data.

0 Karma

tiagofbmm
Influencer

Create a new instance to be your cluster master, one to be your search head that will search all the indexers. You will not loose any data but only the newly created buckets of data will respect your Replication and Search Factor, but all your past data will remain available.

Follow this guide
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Clusterdeploymentoverview

0 Karma

bestSplunker
Contributor

@tiagofbmm I'm sorry, but I corrected my question. In fact, I want to convert it into a distributed search
with 1 sh + 1 indexer. I don't need an indexer cluster anymore, nor do I need a master node.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...