- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Summary Index Migration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Summary Index Migration
Hello Everyone,
We currently have a Splunk instance up and running and are looking to stand up a completely different environment.In order to satisfy our retention requirements, we want to migrate logs from the existing to the new instance.
I'm aware that you can migrate Splunk indexes.However, we only need select logs migrated from the existing instance to the new.Since we have summary indexing enabled for the select that we want migrated,I was wondering whether migrating the summary index to the new instance will give us access to the select logs on the new instance. Also, I would like to know if the migrated summary index(data)will be in raw format once migrated.This is important because of the retention requirement.
All inputs are appreciated.
Lamide
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello Lamide,
If you are planning to migrate your summary index alone follow the below steps.
- Take the indexes.conf settings and update the same in your target environment.
- Copy the whole index directory to the target environment maintaining the same directory structure.
- Restart the splunk service to synchronize
- if you want to increase the retention period increase the frozen second option.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Summary index / raw index has nothing to do with the retention policy. Secondly they do stay in a summarized format but it depends what you have put in there. So if you copy them over to the new environment as i have suggested it will work perfectly.
Just change the
frozenTimePeriodInSecs
for your summery index definitions to make retention period more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Thanks linu1988!
Can you(or anyone)please chime in on the second part of the question if you can?...i.e., Is the migrated summary index(data)in the same format as a regular migrated Splunk index.The concern is that the migrated summary index may not be in the format(raw logs) and this may not fulfill the log retention requirements.
I'm almost sure that I read somewhere in the Splunk documentation that the log format for the Summary Index is different from that of a regular Splunk indexer but, I can seem to find where I read it.Any assistance will be very appreciated.
Regards,
Olamide.
Register for FREE Today!
We've made .conf21 totally virtual
and totally FREE! Our completely
online experience will run from 10/19
through 10/20 with some additional
events, too!
Learn More or Register Now >
