Reporting
Highlighted

Error when importing event data

Path Finder

Hi,

I want to export event data from one indexer and import them to another indexer.

I used following command to export event data under 'main' index to a folder called 'events' under /tmp:

/opt/splunk/bin/splunk export eventdata -index main -dir /tmp/events

It has no problem.

Then I created an NFS share for 'events' folder and mounted it to my second splunk indexer machine. I can use 'ls /mnt/events' to see all files remotely.

Then I used following command to import event data:

./splunk import eventdata -index main -dir /mnt/events

I got following error:

The subcommand 'eventdata' is not valid for command 'import'.

What is the problem here? Why 'eventdata' is invalid during import when it is valid during export?

0 Karma
Highlighted

Re: Error when importing event data

Splunk Employee
Splunk Employee

If you're trying to move a whole index, you can just move the index itself

You can also rebuild an index if you need to merge data. Let me know if you need to.

Highlighted

Re: Error when importing event data

Path Finder

I want to move the data from one indexer to another one by merging them with existing data.

0 Karma
Highlighted

Re: Error when importing event data

Splunk Employee
Splunk Employee

The splunk import command actually only supports the userdata subcommand - it is not designed to import event data. I have filed a documentation bug (reference SPL-56401) to clarify this fact in the CLI help.
In my opinion, the best way to merge two indexes together is described in this Wiki topic - please pay special attention to the "Scrubbing the bucket IDs" section! - and this Splunk Answer. And this one, too.