Splunk Enterprise

Add new indexers, keeping old for historical

tlmayes
Contributor

I have an indexer challenge that was hoping to get help with. We have 4 indexers with a significant amount of historical data. We are adding 4 new indexers with significantly more resources to overcome performance problems. Is it possible to do the following and if so what would be the best way to address this?

  • Write all new events to the 4 new indexers
  • Keep the 4 old indexers online and searchable, but do not write new events to these indexers
  • Search is possible against all 8 indexers
  • NO replication between the 4 old, and 4 new indexers. Only replication within their group.

Thanks in advance for the help

0 Karma
1 Solution

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

View solution in original post

0 Karma

Elsurion
Communicator

This is quite simple.

You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers

0 Karma

tlmayes
Contributor

I figured as much, but asking never hurt (learn from somebody else, before causing bigger problems). Regarding replication, what is to keep the old indexers from replicating with the new? I do not want the new indexers to know about the old indexed events.

0 Karma

Elsurion
Communicator

You have to to edit cluster configuration.

At the moment i haven't here a replication environment, but in my notes i have a note that you can just edit the cluster config to replace the old with the new ones.

But I suggest you give the old one a new site id and using for the new ones the old site id.

the parameter -site_replication_factor does the the magic with the replication.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor

0 Karma

tlmayes
Contributor

Thanks... Found that same link as well a few minutes ago and agree that the answer is to create a new site, and search against both.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...