Hi Guys,
We have 1 indexer and 1 Search head in 2 different datacenter locations. (Lets say DC-A and DC-B)
Since DC-A is being decommissioned, we have been directed to copy the indexed data from the Indexer in DC-A to Indexer in DC-B.
Now, Indexer in DC-B has enough SAN to hold the indexed data from both the Datacenters but we would want to move/store the data in such a way that SH in DC-B is not able to search data from DC-A.
So basically, I am looking at how to store data in indexer but make it non searchable.
Any ideas, how to best proceed with this? Appreciate the help !!
Thanks,
Neerav Mathur
Hi @neeravmathur,
there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.
This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.
Ciao.
Giuseppe
Hi @neeravmathur,
there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.
This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.
Ciao.
Giuseppe
That worked like a charm !!
Thanks Again...
Hi @neeravmathur,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
This is exactly what I was hoping to hear...Will surely try that and will update you..
Thanks a lot for your quick and prompt response...
Thanks,
Neerav
Hi @neeravmathur,
nice to help you, tell me if I can help you more, and don't forget to accept the answer at the end of your check
for the other people of Community.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi
I'm not sure if I understood your issue correctly or not?
If you want just store that data from old indexers to somewhere, then probably the easiest way is to move from cold to frozen and then store those frozen buckets on some dedicates SAN storage area (separate filesystem on another box). Then you can get those back if needed as a thawed buckets.
If you have data on indexes (hot/warm/cold) then this data is always searchable. Of course you can add search filter to users which contains something like "splunk_server = idx-b" and then users has this restrictions on their searches. IMHO: personally I don't like search filters as those usually generates more issues than solves on long run.
r. Ismo