Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Move Index Files from one system to another

brianokelly
Explorer
‎09-27-2011 11:56 PM

We are planning to roll out an active/active solution in two data centers. Each DC splunk instance will only handle local logs. We are looking to put a plan in place should a failure of one site occur.

  1. What is the best mechanism/tools to handle this situation.
  2. What should be planned for e.g. use different index names in each site e.g. main_site1 and main_site2? Both sites will handle similar logs and peer to each other for searches.
Tags (2)
0 Karma
Reply

Lowell
Super Champion
‎09-28-2011 07:07 AM

I'd suggest that you also checkout this question and answer:

http://splunk-base.splunk.com/answers/7479/what-is-the-best-way-to-retrieve-data-from-a-remote-site-...

There's a comment about the isReadOnly setting in indexes.conf which you may want to look into as well. The idea is to prevent accidental writing to a replicated index. It's possible that read-only file permissions may also be a good idea in this case. (BTW, I assuming that you aren't going to try to let both sites index data into both each others directories, because that will not work.)

It may be a good idea to work though a plan with splunk support for your specific setup.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-28-2011 04:37 AM

Hi brainokelly

about moving an index find the docs here.

If you plan to move one site to another in case of a failure, then I would do as you wrote in question 2. Call them main_site1 and main_site2. This way you are able to move the index back to its original site and even keep the data collected while it was on the failure site.

hope you can follow me 🙂

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...