Solved: Splunk Non Clustered buckets

ram254481493 · ‎06-03-2019

Hi , we migrated an indexer from non clustered to a clustered environment , i know the naming convention for clustered and non clustered buckets are different. So is the data which lies in non clustered buckets is still be searchable on my clustered environment. If so how ?

2) i saw in my cold directory i have an additional backup folder created where all of my indexes backups stored , it not defined in indexes.conf and not sure who created ? is it created by default ?

martynoconnor · ‎06-03-2019

Are you moving to a site aware cluster, or a non site aware cluster. The procedure for getting searchable and properly replicated data from non clustered buckets to clustered buckets is different between the two. If moving to a non site aware cluster, you can do the following:

Rename buckets in conform to the clustered bucket format. You can avoid bucket clashes by incrementing the bucket number as part of the rename/copy and picking an arbitrarily high bucket number so as to avoid a clash with any existing clustered buckets. I would strongly recommend that you go to a multisite cluster though, as it makes future growth of your cluster easier to manage and administer.

Another option available to you is to create a new cluster of indexers altogether, and then to have your search heads search across both the clustered indexers, and your older all in one instance until such time as the data in the all in one instance ages out (i.e. no new data goes into it from the time the indexer cluster is stood up) and then you can decommission it.

View solution in original post

martynoconnor · ‎06-03-2019

Are you moving to a site aware cluster, or a non site aware cluster. The procedure for getting searchable and properly replicated data from non clustered buckets to clustered buckets is different between the two. If moving to a non site aware cluster, you can do the following:

Rename buckets in conform to the clustered bucket format. You can avoid bucket clashes by incrementing the bucket number as part of the rename/copy and picking an arbitrarily high bucket number so as to avoid a clash with any existing clustered buckets. I would strongly recommend that you go to a multisite cluster though, as it makes future growth of your cluster easier to manage and administer.

Another option available to you is to create a new cluster of indexers altogether, and then to have your search heads search across both the clustered indexers, and your older all in one instance until such time as the data in the all in one instance ages out (i.e. no new data goes into it from the time the indexer cluster is stood up) and then you can decommission it.

ram254481493 · ‎06-06-2019

we was a non clustered environment later we moved to clustered environment. But is my search head will still be able to search the data from non-clustered buckets ?

martynoconnor · ‎06-07-2019

Hi there, yes, if you simply enable clustering on what was once a non-clustered indexer then all future buckets will be clustered and replicated, but you will run the risk of data loss on pre-cluster buckets as they will not replicate unless you trick the indexers into thinking they are clustered buckets using the bucket renaming detailed above. If that risk is acceptable, the move is quite simple. However, I would strongly recommend you move to a multisite cluster rather than a non site-aware cluster. It will save so much pain in the long run and it gives you better control over distribution of replicated copies of data for DR purposes.

Splunk Non Clustered buckets

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Join the Conversation