Splunk Enterprise

Which of these two options is best for distributing data across indexers when adding new indexers and retiring old ones?

Bomo2023
Explorer

I currently have 4 indexers as part of my Splunk deployment. I am upgrading these indexers with new hardware.

I am going to join the 4 new indexers to the existing indexer cluster and then ultimately retire the 4 old indexers once the data is redistributed across the cluster.

But, once all of the indexers are in the same cluster I seem to have two options (I think) for making sure that data is distributed across the new indexers:

Option 1
Rebalance data across all 8 indexers...

 

splunk rebalance cluster-data -action start

 

...and then retire the old indexers as normal.


Option 2
Put each indexer in detention one by one and then retire in the following way, which as I understand it will move data off the indexer in the process...

 

splunk offline --enforce-counts

 

I've read the documentation around these topics, however Option 2 was mentioned to me in a previous post and so I just wanted clarification. Many thanks.

Edit:

Or, thinking about it some more, would I just use Option 1 to rebalance the data and then use Option 2 to remove the old indexers one by one?

Labels (3)
0 Karma
1 Solution

493669
Super Champion

Hi @Bomo2023 , Below are the high level steps-

1. add all new peers in cluster

2.  update config in all forwarders to send data to all indexers old+new

3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers

4. perform data rebalance

5. perform splunk offline on old indexers one by one

6. after everything looks fine remove old indexer from peers

 

 

------

If this reply helps an upvote will be appreciated

View solution in original post

493669
Super Champion

In manual detention, it will not consume new data but available for data rebalance.
I would suggest to use below command for decommisioning-

splunk offline --enforce-counts

493669
Super Champion

Hi @Bomo2023 , Below are the high level steps-

1. add all new peers in cluster

2.  update config in all forwarders to send data to all indexers old+new

3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers

4. perform data rebalance

5. perform splunk offline on old indexers one by one

6. after everything looks fine remove old indexer from peers

 

 

------

If this reply helps an upvote will be appreciated

Bomo2023
Explorer

Thanks @493669 

That's very helpful.

Just to confirm, when an indexer is in manual detention, it is still available for the purposes of data rebalancing?

And can I confirm that when running 'splunk offline' as part of this process you outlined, there's no need to include the '--enforce-counts' option?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...