Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Copy the indexed bucket to another index path

splunker12er
Motivator
‎06-29-2014 07:26 AM

Is it possible for me to copy the specific Index bucket to another Index path,

Eg:
I want to copy the indexed data from index name 'My-Index-Name-1' to 'My-Index-Name-2'
Just by cut and copy the bucket to new index path, will work ?

Search query: (will this work , after copy ?)

index=My-Index-Name-2 | table _raw

Details:

Index Name ->My-Index-Name-1
State -> Warm
Path -> /opt/splunk/var/lib/splunk/My-Index-Name-1/db/db_1403947472_1403779602_8
Tags (3)
0 Karma
Reply

lguinn2
Legend
‎06-29-2014 12:27 PM

This is risky to do, as each bucket in an index has an identifier that is unique to that index. If you copy a bucket to a different index, you will almost certainly cause a collision of bucket ids, which will cause errors.

It is safer to simply re-index the data, placing in the index where you want it to go.

If you have a deep understanding of how buckets and indexes are organized, you might consider how you could use tools like rebuilding buckets. But I am sure that Splunk Support would recommend against it.

Reply

splunker12er
Motivator
‎06-30-2014 08:51 PM

I do need carefully select the selective Warm dbs and move to the new index folder , and check for bucket_id clash. if any I do need to modify the range accordingly and run the below command :

 ./splunk _internal call /data/indexes/MY-INDX-NAME/rebuild-metadata-and-manifests

doing so, I can be successful in moving the indexed data from one index to another index. (my case i want the data to be searched in the other index name)
Am i fine with the understanding? please correct me , if i am wrong.

0 Karma
Reply

splunker12er
Motivator
‎06-29-2014 07:28 AM

whether the index name also stored along with the indexed data ? Or it depends on the path where the index resides ?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...