Splunk Enterprise

Moving SmartStore contents to another SmartStore

cking
Engager

We currently have a Splunk Enterprise cluster that uses SmartStore in AWS S3. We're looking to move the cluster to an entirely new AWS account.  However, we are not sure of the best way to move the contents of the SmartStore without corrupting any of the files that have been indexed.  What would be the best way to migrate from one SmartStore backend to another SmartStore backend without losing any data? 

0 Karma

cking
Engager

Hello Tejas, 

Thank you! We will give this a shot first in our dev environment and see how it goes.

0 Karma

tej57
Contributor

Hello @cking

You can follow the following steps for migrating the buckets from one smartstore location to the other.

- Enable maintenance mode on the cluster-manager

- Stop splunk on the indexer peers using splunk stop command.

- Ensure that all the hot buckets have been rolled to warm state

- Move all the buckets from current location to the desired one

- Change the associated parameters in indexes.conf

- Push the bundle to all the indexers

- Verify that the data is searchable and connected to the new storage.

You can refer to the following documentation link for migration steps - https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/MigratetoSmartStore. Although, the document mentions migration from non smartstore to smartstore index, similar steps can be used for migration to different S3 location. 

PS> This activity should be performed via Splunk PS due to complex nature of the task.

Thanks,
Tejas.

 

---

If the above solution helps, an upvote is appreciated.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...