How to take an Indexer (indexA.aws.gov) out of a C...

SamHTexas · ‎11-22-2021

I work in a large environment clustered mostly, have Splunk Ent., ES. SHs & Indexers clustered) There is a maintenance being done & we are told that the indexer will be moved to a new host & data loss will occur. How do I move this indexer out of of the cluster briefly to avoid data loss please? Thanks very much for your help in advance.

isoutamo · ‎11-22-2021

Hi

it depends is this a temporary (and how long time) or permanent removal. Anyhow you can read and follow these instructions https://docs.splunk.com/Documentation/Splunk/8.2.3/Indexer/Takeapeeroffline to do this.

SamHTexas · ‎11-23-2021

Tanks for your message. It is a perm. move. Is it correct that the data is lost on AWS as soon as the Indexer it stopped? Please advise best practices for temporary or a permanent move. In the current case is permanent. Thank u a million in advance for your time sir.

isoutamo · ‎11-24-2021

If/when you have an indexer and your SF/RF >= 2 then you don't lose data as you have at least one copy of every bucket. It could be short time when searches don't found all data (when bucket are rebuild for search), but you don't lose the data.

You should just follow the document's instructions how to remove peer permanently from cluster. Nothing rocket science, just step by step and reserve enough time for those bucket moves/repairs.

If your RF=1 then you must figure out what is the best way to replace current peer and change RF asap at least to 2.

r. Ismo

How to take an Indexer (indexA.aws.gov) out of a Cluster during a maintenance to avoid data loss. Thanks a million

configuration

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?