Re: Migration from Windows Single Instance Deploym...

zayers2 · ‎05-15-2018

The scenario is the following: I work for a small company that installed Splunk initially for a small user base as a standalone deployment. The demand as expanded to multiple departments and we need to convert to a distributed deployment. The deployment would be one dedicated search head, and one indexer.

My question is would this work for a conversion process?
1: Enable Index Clustering on current standalone instance.
2: Make the current standalone instance as a master node.
3: Bring up new indexer as a peer node.
4: Replicate the data from standalone to new indexer
5: Make new indexer the master node
6: Convert current standalone to dedicated search head.

Is this a valid process?

brian_rampley · ‎05-15-2018

Is there a reason, such as storage limitations, that you need to migrate the data off the existing stand-alone instance? The obvious easy path I see is to stand up the new server as a search head, and convert your existing instance into a an indexer.

The issue with your current process is that your existing indexed data buckets are not "clustered" buckets, and will not replicate.

More info at this link: http://docs.splunk.com/Documentation/Splunk/7.1.0/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

Migration from Windows Single Instance Deployment to Small Enterprise Distributed Deployment

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation