Splunk Enterprise

Which of these two options is best for distributing data across indexers when adding new indexers and retiring old ones?

Bomo2023
Explorer

I currently have 4 indexers as part of my Splunk deployment. I am upgrading these indexers with new hardware.

I am going to join the 4 new indexers to the existing indexer cluster and then ultimately retire the 4 old indexers once the data is redistributed across the cluster.

But, once all of the indexers are in the same cluster I seem to have two options (I think) for making sure that data is distributed across the new indexers:

Option 1
Rebalance data across all 8 indexers...

 

splunk rebalance cluster-data -action start

 

...and then retire the old indexers as normal.


Option 2
Put each indexer in detention one by one and then retire in the following way, which as I understand it will move data off the indexer in the process...

 

splunk offline --enforce-counts

 

I've read the documentation around these topics, however Option 2 was mentioned to me in a previous post and so I just wanted clarification. Many thanks.

Edit:

Or, thinking about it some more, would I just use Option 1 to rebalance the data and then use Option 2 to remove the old indexers one by one?

Labels (3)
0 Karma
1 Solution

493669
Super Champion

Hi @Bomo2023 , Below are the high level steps-

1. add all new peers in cluster

2.  update config in all forwarders to send data to all indexers old+new

3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers

4. perform data rebalance

5. perform splunk offline on old indexers one by one

6. after everything looks fine remove old indexer from peers

 

 

------

If this reply helps an upvote will be appreciated

View solution in original post

493669
Super Champion

In manual detention, it will not consume new data but available for data rebalance.
I would suggest to use below command for decommisioning-

splunk offline --enforce-counts

493669
Super Champion

Hi @Bomo2023 , Below are the high level steps-

1. add all new peers in cluster

2.  update config in all forwarders to send data to all indexers old+new

3. put all old indexers in manual detention and update config on forwarder to send data to only new indexers

4. perform data rebalance

5. perform splunk offline on old indexers one by one

6. after everything looks fine remove old indexer from peers

 

 

------

If this reply helps an upvote will be appreciated

Bomo2023
Explorer

Thanks @493669 

That's very helpful.

Just to confirm, when an indexer is in manual detention, it is still available for the purposes of data rebalancing?

And can I confirm that when running 'splunk offline' as part of this process you outlined, there's no need to include the '--enforce-counts' option?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...