Splunk Enterprise

Which of these two options is best for distributing data across indexers when adding new indexers and retiring old ones?

Bomo2023
Explorer

I currently have 4 indexers as part of my Splunk deployment. I am upgrading these indexers with new hardware.

I am going to join the 4 new indexers to the existing indexer cluster and then ultimately retire the 4 old indexers once the data is redistributed across the cluster.

But, once all of the indexers are in the same cluster I seem to have two options (I think) for making sure that data is distributed across the new indexers:

Option 1
Rebalance data across all 8 indexers...

 

splunk rebalance cluster-data -action start

 

...and then retire the old indexers as normal.


Option 2
Put each indexer in detention one by one and then retire in the following way, which as I understand it will move data off the indexer in the process...

 

splunk offline --enforce-counts

 

I've read the documentation around these topics, however Option 2 was mentioned to me in a previous post and so I just wanted clarification. Many thanks.

Edit:

Or, thinking about it some more, would I just use Option 1 to rebalance the data and then use Option 2 to remove the old indexers one by one?

Labels (3)
0 Karma
1 Solution

493669
Super Champion

Hi @Bomo2023 , Below are the high level steps-

1. add all new peers in cluster

2.  update config in all forwarders to send data to all indexers old+new

3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers

4. perform data rebalance

5. perform splunk offline on old indexers one by one

6. after everything looks fine remove old indexer from peers

 

 

------

If this reply helps an upvote will be appreciated

View solution in original post

493669
Super Champion

In manual detention, it will not consume new data but available for data rebalance.
I would suggest to use below command for decommisioning-

splunk offline --enforce-counts

493669
Super Champion

Hi @Bomo2023 , Below are the high level steps-

1. add all new peers in cluster

2.  update config in all forwarders to send data to all indexers old+new

3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers

4. perform data rebalance

5. perform splunk offline on old indexers one by one

6. after everything looks fine remove old indexer from peers

 

 

------

If this reply helps an upvote will be appreciated

Bomo2023
Explorer

Thanks @493669 

That's very helpful.

Just to confirm, when an indexer is in manual detention, it is still available for the purposes of data rebalancing?

And can I confirm that when running 'splunk offline' as part of this process you outlined, there's no need to include the '--enforce-counts' option?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...