Splunk Enterprise

How to move data from old indexer to new setup?

awendler
Explorer

We used to use splunk in a very, very slow and old machine and we have about 9 years of logs on that machine.

We recently moved to a much much nicer 6 server cluster and want to decommission the old machine but do not want to lose those logs.

How can we move the data from the old setup into the new? The smart thing may have been to move it BEFORE powering up the new setup but we did not do that, so now the past 3 months of logs are indexed and stored in the new setup while the old setup has years of data from before that turn on date/

Tags (2)
0 Karma

ChrisG
Splunk Employee
Splunk Employee

This is covered in the Managing Indexers and Clusters of Indexers manual. See the topic Move the index database.

0 Karma

vliggio
Communicator

This won't take into account conflicting bucket IDs that might exist since the index has been collecting data in the new system.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Ah, sorry, quite right.

0 Karma

vliggio
Communicator

Upgrade the old server to v6, then copy the buckets over to the new server.

This wiki post might help (see the advanced section, since you have existing buckets): http://wiki.splunk.com/Community:MoveIndexes

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!