Splunk Enterprise

Add new indexers, keeping old for historical

tlmayes
Contributor

I have an indexer challenge that was hoping to get help with. We have 4 indexers with a significant amount of historical data. We are adding 4 new indexers with significantly more resources to overcome performance problems. Is it possible to do the following and if so what would be the best way to address this?

  • Write all new events to the 4 new indexers
  • Keep the 4 old indexers online and searchable, but do not write new events to these indexers
  • Search is possible against all 8 indexers
  • NO replication between the 4 old, and 4 new indexers. Only replication within their group.

Thanks in advance for the help

0 Karma
1 Solution

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

View solution in original post

0 Karma

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

0 Karma

tlmayes
Contributor

I figured as much, but asking never hurt (learn from somebody else, before causing bigger problems). Regarding replication, what is to keep the old indexers from replicating with the new? I do not want the new indexers to know about the old indexed events.

0 Karma

Elsurion
Communicator

You have to to edit cluster configuration.

At the moment i haven't here a replication environment, but in my notes i have a note that you can just edit the cluster config to replace the old with the new ones.

But I suggest you give the old one a new site id and using for the new ones the old site id.

the parameter -site_replication_factor does the the magic with the replication.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor

0 Karma

tlmayes
Contributor

Thanks... Found that same link as well a few minutes ago and agree that the answer is to create a new site, and search against both.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...