Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Summary Index Migration

Olamide22
Explorer
‎04-28-2014 01:36 PM

Hello Everyone,

We currently have a Splunk instance up and running and are looking to stand up a completely different environment.In order to satisfy our retention requirements, we want to migrate logs from the existing to the new instance.

I'm aware that you can migrate Splunk indexes.However, we only need select logs migrated from the existing instance to the new.Since we have summary indexing enabled for the select that we want migrated,I was wondering whether migrating the summary index to the new instance will give us access to the select logs on the new instance. Also, I would like to know if the migrated summary index(data)will be in raw format once migrated.This is important because of the retention requirement.

All inputs are appreciated.

Lamide

0 Karma
Reply

linu1988
Champion
‎04-28-2014 02:16 PM

Hello Lamide,
If you are planning to migrate your summary index alone follow the below steps.

  • Take the indexes.conf settings and update the same in your target environment.
  • Copy the whole index directory to the target environment maintaining the same directory structure.
  • Restart the splunk service to synchronize
  • if you want to increase the retention period increase the frozen second option.

Thanks

Reply

linu1988
Champion
‎04-29-2014 11:40 AM

Summary index / raw index has nothing to do with the retention policy. Secondly they do stay in a summarized format but it depends what you have put in there. So if you copy them over to the new environment as i have suggested it will work perfectly.

Just change the
frozenTimePeriodInSecs

for your summery index definitions to make retention period more.

0 Karma
Reply

Olamide22
Explorer
‎04-29-2014 07:12 AM

Thanks linu1988!

Can you(or anyone)please chime in on the second part of the question if you can?...i.e., Is the migrated summary index(data)in the same format as a regular migrated Splunk index.The concern is that the migrated summary index may not be in the format(raw logs) and this may not fulfill the log retention requirements.
I'm almost sure that I read somewhere in the Splunk documentation that the log format for the Summary Index is different from that of a regular Splunk indexer but, I can seem to find where I read it.Any assistance will be very appreciated.

Regards,

Olamide.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...