Installation

How to migrate Splunk by changing the existing instance to become forwarder/secondary indexer?

quahfamili
Path Finder

Hi all,

I had a Splunk instance that used to be ingesting data local data and hence it is the indexer as well as the search head.

I'm thinking of using it as a backup(duplicating)/secondary indexer and forward the data to a new server (migrated server with duplicated data).

Is it possible to do this? What is the step I need to take?

Thanks in advance.

Labels (2)
Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"

Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.

What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

On the 'old' indexer:
In Settings> Forwarding and receiving > Forwarding Defults
Enable "Store a local copy of forwarded events?"

Then go to Settings> Forwarding and receiving > Forward data
Click "New" and enter the ip:port of your 'new' indexer.

What this will do is configure your indexer to work as a combined indexer & forwarder.
Copies of the data will be saved on your 'old' indexer and forwarded to your 'new' indexer.
When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden.

If my comment helps, please give it a thumbs up!

quahfamili
Path Finder

Hi @nickhillscpl

I would want to ask you :

You mentioned "When you are happy everything is working properly, you can change your forwarders to send directly to the 'new' indexer to remove your 'old' indexer from the burden."

How do I actually do it? Do i just changed the license to forwarder license, so it would not consume my data ingest limit?

0 Karma

adonio
Ultra Champion

hello there,

everything is possible, what is it that you would like to accomplish?
do you need backup? if you can keep the data and the server (old indexer) no need to forward it to a new insatnce.
install splunk on new server, add the old server as a search pear to the new splunk server. read here:
https://docs.splunk.com/Documentation/Splunk/7.0.1/DistSearch/Configuredistributedsearch
ad you are ready to rock and roll

hope it helps

0 Karma

quahfamili
Path Finder

Hi I want the older server to remain and forward the events to a new server, so there is a duplicate of server.

The issue here is that the old server is very slow but I want to keep it until everything is stablised before shutting the index. The older server will remain to process some file and forward to the newer server but not indexing anymore.

Possible? How?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...