Splunk Enterprise

Add new indexers, keeping old for historical

tlmayes
Contributor

I have an indexer challenge that was hoping to get help with. We have 4 indexers with a significant amount of historical data. We are adding 4 new indexers with significantly more resources to overcome performance problems. Is it possible to do the following and if so what would be the best way to address this?

  • Write all new events to the 4 new indexers
  • Keep the 4 old indexers online and searchable, but do not write new events to these indexers
  • Search is possible against all 8 indexers
  • NO replication between the 4 old, and 4 new indexers. Only replication within their group.

Thanks in advance for the help

0 Karma
1 Solution

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

View solution in original post

0 Karma

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

0 Karma

tlmayes
Contributor

I figured as much, but asking never hurt (learn from somebody else, before causing bigger problems). Regarding replication, what is to keep the old indexers from replicating with the new? I do not want the new indexers to know about the old indexed events.

0 Karma

Elsurion
Communicator

You have to to edit cluster configuration.

At the moment i haven't here a replication environment, but in my notes i have a note that you can just edit the cluster config to replace the old with the new ones.

But I suggest you give the old one a new site id and using for the new ones the old site id.

the parameter -site_replication_factor does the the magic with the replication.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor

0 Karma

tlmayes
Contributor

Thanks... Found that same link as well a few minutes ago and agree that the answer is to create a new site, and search against both.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...