I want to export event data from one indexer and import them to another indexer.
I used following command to export event data under 'main' index to a folder called 'events' under /tmp:
/opt/splunk/bin/splunk export eventdata -index main -dir /tmp/events
It has no problem.
Then I created an NFS share for 'events' folder and mounted it to my second splunk indexer machine. I can use 'ls /mnt/events' to see all files remotely.
Then I used following command to import event data:
./splunk import eventdata -index main -dir /mnt/events
I got following error:
The subcommand 'eventdata' is not valid for command 'import'.
What is the problem here? Why 'eventdata' is invalid during import when it is valid during export?
splunk import command actually only supports the
userdata subcommand - it is not designed to import event data. I have filed a documentation bug (reference SPL-56401) to clarify this fact in the CLI help.
In my opinion, the best way to merge two indexes together is described in this Wiki topic - please pay special attention to the "Scrubbing the bucket IDs" section! - and this Splunk Answer. And this one, too.