Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to migrate indexes and fields

xsstest
Communicator
‎04-17-2017 12:19 AM

A:I have a stand-alone Splunk Enterprise,This includes search, indexing。
B:Now,I built a Splunk cluster,The Splunk cluster includes (three search servers, three index servers, one deployment server, multiple universal forwarders).

question:

 How to migrate stand-alone version of the Splunk index and the field to the cluster (search  servers)

Also: Is there a talk about Splunk's technical group? May i join?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎04-17-2017 04:09 AM

First you'll want a firm understanding of index time versus search time field extractions and transformations by reading over the props.conf and transforms.conf documentation.

Then you can pretty much just follow these articles:

http://docs.splunk.com/Documentation/Splunk/6.5.3/Indexer/Migratenon-clusteredindexerstoaclustereden...

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/Migratefromstandalonesearchheads

You'll note they say contact splunk PS for migrating the data. It can be easier to just leave the old standalone indexer up and running and use it as a search peer on the new SHC. Migrating the data requires a bit of scripting to attach the cluster guid to the bucket file names, and also needs to take into consideration the possibility of bucket collisions and other posibillities... Which is why they recommend contacting PS if it's absolutely necessary.

View solution in original post

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-20-2017 03:31 AM

What do you mean about joining Splunks technical group?

There is a slack channel and an irc channel open to the public.

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎04-17-2017 04:09 AM

First you'll want a firm understanding of index time versus search time field extractions and transformations by reading over the props.conf and transforms.conf documentation.

Then you can pretty much just follow these articles:

http://docs.splunk.com/Documentation/Splunk/6.5.3/Indexer/Migratenon-clusteredindexerstoaclustereden...

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/Migratefromstandalonesearchheads

You'll note they say contact splunk PS for migrating the data. It can be easier to just leave the old standalone indexer up and running and use it as a search peer on the new SHC. Migrating the data requires a bit of scripting to attach the cluster guid to the bucket file names, and also needs to take into consideration the possibility of bucket collisions and other posibillities... Which is why they recommend contacting PS if it's absolutely necessary.

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎04-17-2017 04:05 AM

How many concurrent searches do you have? I would suggest making an index cluster first then move to a search head cluster when you have more users searching.

First step would be to create the master node instance, then create your indexers, then search heads. You should join each instance to the license pool and setup your DS and forwarders.

I think you will need to manually add the data to your clustered indexers since old data will not populate onto the new nodes

Here's a link discussing rebalancing data along the nodes

http://docs.splunk.com/Documentation/Splunk/6.5.3/Indexer/Rebalancethecluster

You should also look into joining the Splunk Slack channel

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...