Solved: Restoring data to new indexer for DR

jeffbat · ‎08-24-2021

I am running Splunk Enterprise on prem and have a set of indexers in a cluster in one region and another set of indexers in a separate cluster in a different region.

If region A is completely lost but we have backups in Region B of the data from Region A; is it possible to restore the data into the indexer cluster in Region B or would we have to restore the data and put into thawed and run the unthaw process bucket by bucket?

We are not running a multi-site cluster.

This is for a DR procedure but at the same time would be nice to know best way to do this as we have a 3rd cluster setup that eventually we will want the data in moved to one of the other clusters to allow for decommission of the 3rd clustered location.

(The same indexes exists in all 3 separated clustered environments.)

Thanks.

codebuilder · ‎08-25-2021

Short answer is yes it's possible. But it is a complicated process. I would recommend you engage Splunk support to help you define a process specific to your environment.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎08-25-2021

Short answer is yes it's possible. But it is a complicated process. I would recommend you engage Splunk support to help you define a process specific to your environment.

----
An upvote would be appreciated and Accept Solution if it helps!

Restoring data to new indexer for DR

administration

troubleshooting

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases