We need to close a splunk installation. How do we ...

pwarricker · ‎06-05-2015

We have a contract coming to its end and need to close Splunk for them, but we still need all the data accessible afterwards so that it can be loaded into a different Splunk instance if required.

aholzer · ‎06-05-2015

We had to do this with an old standalone instance when we purchased hardware for a clustered environment. Here's what you need to do:

Check # of events in the index on a clustered indexer. Example: search index=juniper returns 619 events
Check # of events in the index on a standalone (old) indexer. Example: search index=188961 returns 2798 events
Copy / zip buckets from 188961 index on standalone indexer to some temporary repository on clustered indexer
Put cluster master in maintenance mode
Stop Splunk on clustered indexer
Copy / unzip buckets from 188961 index into the colddb directory of the juniper index on the clustered indexer
Start Splunk on clustered indexer
Take cluster master out of maintenance mode
Confirm search returns sum of both results. Example: search index=juniper on cluster master (returns 3417 events)

Hope this helps

We need to close a splunk installation. How do we prepare and export all the logs it has collected to use in a different Splunk instance?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!