Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we add new indexer through UI and what happens to the data when indexers are removed

vrmandadi
Builder
‎01-28-2020 11:14 AM

1.What are the steps to add new indexer through the WEB UI? .

  1. what are steps to be taken to remove indexers from cluster?

  2. What happens to the data in the indexers which are removed? and if data is lost how to recover?

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-28-2020 11:20 AM

1.) No, it can not be done from the web UI
2.) https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Takeapeeroffline
3.) During decomission, the retiring indexer will transfer its primacy of buckets to another peer(s), and the cluster will replicate buckets to make sure there are sufficient copies (according to SF/RF) remaining in the cluster - Thus no data is lost!

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-28-2020 11:20 AM

1.) No, it can not be done from the web UI
2.) https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Takeapeeroffline
3.) During decomission, the retiring indexer will transfer its primacy of buckets to another peer(s), and the cluster will replicate buckets to make sure there are sufficient copies (according to SF/RF) remaining in the cluster - Thus no data is lost!

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

vrmandadi
Builder
‎01-29-2020 08:00 AM

Hello @nickhillscpl .Thank you for your reply .I did not understand the 3rd point .We have 5 indexers now and we are with SF,RF as 2 .Now we are removing three indexers and adding another one .Should we change the SF and RF .Regarding data loss .Can you please elaborate , when we remove the indexer where does the data in the indexer goes to , doe s it send it to the other indexers?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-29-2020 08:09 AM

If you can, add your new indexer first. Then decomission the 3 old indexers 1 at a time.

Yes, when you decom an old indexer it will reassign any primary copies it has to another member.
The cluster will then replicate data between the remaining indexers to restore your target SF/RF.

Since you have SF & RF of 2, there are always two copies of every bucket in the cluster. This means that your old server will not have the sole copy of any data.
When the decom is finished, the data will not get removed from your old indexer - it just becomes unimportant (to the cluster)

I just updated the wording of 3 - does that make sense?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎01-29-2020 08:40 AM

Thank you so much for the explanation.Step 2 you have mentioned will make sure that it will reassign the copies to another member right

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...