Solved: Restoring data to new indexer for DR

jeffbat · ‎08-24-2021

I am running Splunk Enterprise on prem and have a set of indexers in a cluster in one region and another set of indexers in a separate cluster in a different region.

If region A is completely lost but we have backups in Region B of the data from Region A; is it possible to restore the data into the indexer cluster in Region B or would we have to restore the data and put into thawed and run the unthaw process bucket by bucket?

We are not running a multi-site cluster.

This is for a DR procedure but at the same time would be nice to know best way to do this as we have a 3rd cluster setup that eventually we will want the data in moved to one of the other clusters to allow for decommission of the 3rd clustered location.

(The same indexes exists in all 3 separated clustered environments.)

Thanks.

codebuilder · ‎08-25-2021

Short answer is yes it's possible. But it is a complicated process. I would recommend you engage Splunk support to help you define a process specific to your environment.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎08-25-2021

Short answer is yes it's possible. But it is a complicated process. I would recommend you engage Splunk support to help you define a process specific to your environment.

----
An upvote would be appreciated and Accept Solution if it helps!

Restoring data to new indexer for DR

administration

troubleshooting

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms