Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Database copy to new_instance

DataUser007
New Member
‎09-28-2023 03:49 AM

I have a windows server and it's OS got crashed but i have the splunk database  in the another drive which is fine now the steps I have performed are in the new splunk installation are:

1. Copied the configurations of the previous splunk application from the backup i have in to the new application.

2. Changed the database location and created the database structure in another drive apart from C: drive.

3. Now from the earlier database i copied the indexed data in to the new data base where i have overwritten the already present indexes which are created as per the indexer configuration.

4. Now when i restart the splunk i am getting a "DIRTY_DATABASE File (.dirty_database)" file generated.

5. But i can see the data in the indexes when i ran a search

So, the question is whether the procedure i followed is correct or is there any other way to do this

Thanks,

Your well wisher

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-05-2023 11:32 PM

Hi

here is link how to move index database to the nee location https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Moveanindex

When I need to move db to the new node I have followed this https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/5280... That was for linux node, but you can do same procedure with windows with small changes to used commands.

  1. Copy data + configurations to correct place
    1. As you are moving SPLUNK_DB to a new directory,  you must update correct parameters (see docs link)
  2. Install fresh splunk (same version than in old node)
  3. Start splunk
  4. Check that all is ok
  5. Update to the latest/needed version

r. Ismo

Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...