Splunk Enterprise

Add new indexers, keeping old for historical

tlmayes
Contributor

I have an indexer challenge that was hoping to get help with. We have 4 indexers with a significant amount of historical data. We are adding 4 new indexers with significantly more resources to overcome performance problems. Is it possible to do the following and if so what would be the best way to address this?

  • Write all new events to the 4 new indexers
  • Keep the 4 old indexers online and searchable, but do not write new events to these indexers
  • Search is possible against all 8 indexers
  • NO replication between the 4 old, and 4 new indexers. Only replication within their group.

Thanks in advance for the help

0 Karma
1 Solution

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

View solution in original post

0 Karma

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

0 Karma

tlmayes
Contributor

I figured as much, but asking never hurt (learn from somebody else, before causing bigger problems). Regarding replication, what is to keep the old indexers from replicating with the new? I do not want the new indexers to know about the old indexed events.

0 Karma

Elsurion
Communicator

You have to to edit cluster configuration.

At the moment i haven't here a replication environment, but in my notes i have a note that you can just edit the cluster config to replace the old with the new ones.

But I suggest you give the old one a new site id and using for the new ones the old site id.

the parameter -site_replication_factor does the the magic with the replication.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor

0 Karma

tlmayes
Contributor

Thanks... Found that same link as well a few minutes ago and agree that the answer is to create a new site, and search against both.

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...