- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: Migrate Summarydb from standalone to SHC
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Experts,
Asking this question as my brain's jammed thinking over it.
I have a standalone SH which has a summarydb. I want to move them to 10 member search head cluster. I know these are the things to make sure
1. Compare the bucketids from standalone and SHC and rename if there are any conflicts and move (Offcourse after rolling stuff from hot to warm)
2. Now, i know to migrate indexes to a IDX cluster, i can distribute the buckets among all of the indexers. Is it the same with SHC? I mean, should i copy the entire summarydb to each search head cluster member or distribute buckets to each?
3. Since the standalone has too many buckets, can i just rename the summarydb on SHC members to xsummarydb and then migrate the Standalone summarydb to take that place?
Appreciate your help.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please stop and reconsider!
In a search head cluster (SHC), you should not have any indexing occurring in the cluster. All indexing should happen on the indexers.
The SHC does not replicate indexes, only knowledge objects and search artifacts (ie, search results). Leaving the summary indexes on any or all of the search heads will not work - you will end up with missing data, either data that is not summarized or data that is missing from search results. It simply doesn't work that way.
Clustered search heads must forward their summary indexes to the indexer tier. In the Distributed Search manual, the process for this is documented here. This is also a best practice for standalone search heads. Internal logs should also be forwarded - and will be if you follow the documentation.
BTW,this is also a best practice for any other Splunk instances, such as License Masters or Deployment Servers, that are not running on the indexer tier.
Finally, you should be able to copy the existing summary index from one search head to a single member of the indexer tier. Searches against that index will be a bit unbalanced for some time period, but will eventually spread across all indexers as new data is summarized. You could also split it up - but I think that should be a separate question: "how do I move a summary index from a search head to multiple indexers?" would be nice...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please stop and reconsider!
In a search head cluster (SHC), you should not have any indexing occurring in the cluster. All indexing should happen on the indexers.
The SHC does not replicate indexes, only knowledge objects and search artifacts (ie, search results). Leaving the summary indexes on any or all of the search heads will not work - you will end up with missing data, either data that is not summarized or data that is missing from search results. It simply doesn't work that way.
Clustered search heads must forward their summary indexes to the indexer tier. In the Distributed Search manual, the process for this is documented here. This is also a best practice for standalone search heads. Internal logs should also be forwarded - and will be if you follow the documentation.
BTW,this is also a best practice for any other Splunk instances, such as License Masters or Deployment Servers, that are not running on the indexer tier.
Finally, you should be able to copy the existing summary index from one search head to a single member of the indexer tier. Searches against that index will be a bit unbalanced for some time period, but will eventually spread across all indexers as new data is summarized. You could also split it up - but I think that should be a separate question: "how do I move a summary index from a search head to multiple indexers?" would be nice...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes perfect sense....i was skeptical with having indexing on Search layer...Thank you Lisa!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
