Hi @Atchyuth_P , at first you cannot replicate old data in a cluster. so if for the clustered indexes you use the same names of the old not clustered indexes, you lose your old data, so the best a...
See more...
Hi @Atchyuth_P , at first you cannot replicate old data in a cluster. so if for the clustered indexes you use the same names of the old not clustered indexes, you lose your old data, so the best approach is to use different names and create in you searches two eventtypes that use both the indexes (clustered and not clustered), waiting for the natural end of the old indexes, that will not receive new data and will be empty for the exceeding of the retention time. Otherwise, you could (but it's a very long job) export all your data from the old indexes (divided by sourcetype and host) and then import them in the new clustered indexes, but, as I said, it's a long job! Ciao. Giuseppe