how to copy data from one index of one index clust...

abhisplunk1 · ‎10-30-2023

considering we can move data from one index to another index in the same cluster by moving buckets, I am in a scenario where to create an index on index cluster 2 with a new name with an increased retention time period, how do I move the data of one index which is in say cluster 1 with replication factor 3 i.e., the indexer has a copy of every bucket in other two indexers under different names, which can not be copied to the new index with a different name in cluster 2.

Here the challenge is to identify the replicated buckets to avoid being copied to a new index on another cluster, so we only copy the primary buckets to cluster 2 and allow cluster 2 to create the replication buckets based on its own rep factor.

was this achievable? either UI or CLI? how?

If I only want to copy data of specific sourcetype from index 1 from cluster 1 to index 2 in cluster 2 how can I do that? NOTE: I can not create the index 2 with same name as index1, it's been created and under use for other data.

How can I acive this?

isoutamo · ‎11-02-2023

Hi
What is your "business issue/reason" which you are trying to solve? Maybe there is some other better/safer way to do it?
r. Ismo

PickleRick · ‎10-30-2023

It should be achievable but not with GUI, not with "just CLI". It requires a lot of bending over backwards to find the buckets, copy them over, rename... Especially if the destination cluster is a production environment I wouldn't touch it without testing in a dev environment and a help from a friendly Splunk Consultant (or someone equally knowledgeable).

And you can't "copy" just part of the buckets. You'd need to export the raw data and reingest it into the destination cluster.

abhisplunk1 · ‎10-30-2023

consider this a one-time thing, based on the requirement we only move the data from one index to another index in another cluster, and we are not going to configure new data forwarding to the new index.

_JP · ‎10-30-2023

Is this a one-time thing, or will you have an on-going need to replicate data like this? Are you trying to isolate data for some org to search without being able to see other data?

If it is a one-time thing, can you add an indexer to your existing cluster and get the data replicated/balanced to it. Then, remove that from the cluster and reconfigure it to be on its own, and make the necessary retention settings for this new environment in your indexes.conf? You could also remove any data you didn't need.

Overall, moving just a single sourcetype from one environment to another when the data has already been at rest means you're probably going to need to do a manual export from Index Cluster A over to Index (cluster) B. If it's not the only sourcetype in a single index, then that means you're going to have a bunch of interleaved data within your index buckets on the filesystem. If you have on-going requirements to have data forked like this, then you should look towards using some sort of stream-management product like Splunk Edge or Cribl.

how to copy data from one index of one index cluster to other index of another index cluster

CLI

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio