I currently have 4 indexers as part of my Splunk deployment. I am upgrading these indexers with new hardware.
I am going to join the 4 new indexers to the existing indexer cluster and then ultimately retire the 4 old indexers once the data is redistributed across the cluster.
But, once all of the indexers are in the same cluster I seem to have two options (I think) for making sure that data is distributed across the new indexers:
Option 1
Rebalance data across all 8 indexers...
splunk rebalance cluster-data -action start
...and then retire the old indexers as normal.
Option 2
Put each indexer in detention one by one and then retire in the following way, which as I understand it will move data off the indexer in the process...
splunk offline --enforce-counts
I've read the documentation around these topics, however Option 2 was mentioned to me in a previous post and so I just wanted clarification. Many thanks.
Edit:
Or, thinking about it some more, would I just use Option 1 to rebalance the data and then use Option 2 to remove the old indexers one by one?
Hi @Bomo2023 , Below are the high level steps-
1. add all new peers in cluster
2. update config in all forwarders to send data to all indexers old+new
3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers
4. perform data rebalance
5. perform splunk offline on old indexers one by one
6. after everything looks fine remove old indexer from peers
------
If this reply helps an upvote will be appreciated
In manual detention, it will not consume new data but available for data rebalance.
I would suggest to use below command for decommisioning-
splunk offline --enforce-counts
Hi @Bomo2023 , Below are the high level steps-
1. add all new peers in cluster
2. update config in all forwarders to send data to all indexers old+new
3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers
4. perform data rebalance
5. perform splunk offline on old indexers one by one
6. after everything looks fine remove old indexer from peers
------
If this reply helps an upvote will be appreciated
Thanks @493669
That's very helpful.
Just to confirm, when an indexer is in manual detention, it is still available for the purposes of data rebalancing?
And can I confirm that when running 'splunk offline' as part of this process you outlined, there's no need to include the '--enforce-counts' option?