Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Merging two distinct Splunk into one

yanlajeunesse
Explorer
‎05-03-2018 07:00 AM

Hello,

Let's say the company has two departments that used Splunk independantly, and now they want to merge them together into a single Splunk environment.

Both departments have indexes with the same name, but that contains different data, and they also have dashboards and SPL referring these indexes.

I know i can move all indexes from department B to department A, and give them a new name if i want to keep the data separate (for retention and security purposes). However, this will require manual work to modify all the dashboards and various knowledge objects that refer to the original index's name.

Is there an easier way to do this than to manually adapt everything?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-03-2018 07:30 AM

There is no way to avoid the manual work of fixing the dashbaords and searches but you can avoid the work of renaming the index values/directories. You can keep the Indexers as-is and point a master Search Head to all of them and then change the searches that say index=foo into EITHER index=foo AND splunk_server IN("list", "of", "Indexer", "***TIER ONE***", "servers", "here") OR index=foo AND splunk_server IN("list", "of", "Indexer", "***TIER TWO***", "servers", "here") OR

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-03-2018 07:30 AM

There is no way to avoid the manual work of fixing the dashbaords and searches but you can avoid the work of renaming the index values/directories. You can keep the Indexers as-is and point a master Search Head to all of them and then change the searches that say index=foo into EITHER index=foo AND splunk_server IN("list", "of", "Indexer", "***TIER ONE***", "servers", "here") OR index=foo AND splunk_server IN("list", "of", "Indexer", "***TIER TWO***", "servers", "here") OR

0 Karma
Reply
Solved! Jump to solution

yanlajeunesse
Explorer
‎05-03-2018 08:40 AM

Thank you! It confirms my initial thought but you added an interesting possibility that we had not considered.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-03-2018 08:51 AM

You could even deploy this as a pair of marcos called index_equals_foo_TEIR1 and index_equals_foo_TIER2

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...