Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Clustered Indexer data erasing

smithke
Explorer
‎06-08-2021 08:22 AM

We have three indexers in our cluster.

We want to decommission one of the indexers but still want to search all the data on it. Therefore we are moving the old historical data from the indexer we want to decommission to another indexer in the cluster.

We have migrated all indexes over to the other indexer, however, there are about 5 indexes that as soon as we copy the data over to the other indexer it gets wiped from that indexer. Again we copy the data from the indexer we want to decommission and again on the indexer we want to keep it is nearly immediately removed.

I am guessing this is a cluster setting that is removing it. What am I missing? We only have to get these remaining indexes off so we can decommission this indexer.

Let me know if you need more clarification on the issue. I also have opened a ticket with Splunk support on the issue and will post the resolution here if support finds the issue before the community does.

 

Labels (3)
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-08-2021 08:56 AM

You're trying too hard.  Just shut down the indexer with splunk offline --enforce-counts and let the Cluster Manager handle moving the data.

Also, make sure the cluster's RF/SF settings are consistent with a 2-node cluster.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-08-2021 08:56 AM

You're trying too hard.  Just shut down the indexer with splunk offline --enforce-counts and let the Cluster Manager handle moving the data.

Also, make sure the cluster's RF/SF settings are consistent with a 2-node cluster.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

smithke
Explorer
‎06-08-2021 09:15 AM

Will this copy over all data so that we ensure we dont lose anything?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2021 05:46 AM

Yes.  The --enforce-counts option tells the CM to make sure the RF and SF counts are satisfied before the indexer shuts down.

See https://docs.splunk.com/Documentation/Splunk/8.2.0/Indexer/Takeapeeroffline#Take_a_peer_down_permane... and https://docs.splunk.com/Documentation/Splunk/8.2.0/Indexer/Whathappenswhenapeergoesdown#When_a_peer_... .

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...