Splunk Search

Splunk Non Clustered buckets

ram254481493
Explorer

Hi , we migrated an indexer from non clustered to a clustered environment , i know the naming convention for clustered and non clustered buckets are different. So is the data which lies in non clustered buckets is still be searchable on my clustered environment. If so how ?

2) i saw in my cold directory i have an additional backup folder created where all of my indexes backups stored , it not defined in indexes.conf and not sure who created ? is it created by default ?

Tags (1)
0 Karma
1 Solution

martynoconnor
Communicator

Are you moving to a site aware cluster, or a non site aware cluster. The procedure for getting searchable and properly replicated data from non clustered buckets to clustered buckets is different between the two. If moving to a non site aware cluster, you can do the following:

Rename buckets in conform to the clustered bucket format. You can avoid bucket clashes by incrementing the bucket number as part of the rename/copy and picking an arbitrarily high bucket number so as to avoid a clash with any existing clustered buckets. I would strongly recommend that you go to a multisite cluster though, as it makes future growth of your cluster easier to manage and administer.

Another option available to you is to create a new cluster of indexers altogether, and then to have your search heads search across both the clustered indexers, and your older all in one instance until such time as the data in the all in one instance ages out (i.e. no new data goes into it from the time the indexer cluster is stood up) and then you can decommission it.

View solution in original post

0 Karma

martynoconnor
Communicator

Are you moving to a site aware cluster, or a non site aware cluster. The procedure for getting searchable and properly replicated data from non clustered buckets to clustered buckets is different between the two. If moving to a non site aware cluster, you can do the following:

Rename buckets in conform to the clustered bucket format. You can avoid bucket clashes by incrementing the bucket number as part of the rename/copy and picking an arbitrarily high bucket number so as to avoid a clash with any existing clustered buckets. I would strongly recommend that you go to a multisite cluster though, as it makes future growth of your cluster easier to manage and administer.

Another option available to you is to create a new cluster of indexers altogether, and then to have your search heads search across both the clustered indexers, and your older all in one instance until such time as the data in the all in one instance ages out (i.e. no new data goes into it from the time the indexer cluster is stood up) and then you can decommission it.

0 Karma

ram254481493
Explorer

we was a non clustered environment later we moved to clustered environment. But is my search head will still be able to search the data from non-clustered buckets ?

0 Karma

martynoconnor
Communicator

Hi there, yes, if you simply enable clustering on what was once a non-clustered indexer then all future buckets will be clustered and replicated, but you will run the risk of data loss on pre-cluster buckets as they will not replicate unless you trick the indexers into thinking they are clustered buckets using the bucket renaming detailed above. If that risk is acceptable, the move is quite simple. However, I would strongly recommend you move to a multisite cluster rather than a non site-aware cluster. It will save so much pain in the long run and it gives you better control over distribution of replicated copies of data for DR purposes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...