Re: snapshot search index

PIETRO_CENTANNI · ‎10-30-2015

Hi

I have a server that works to search-haed and a by search-index . They're virtual machines and before upgrade to search-index I wanted to rate a snap to image. if I comeback with the server by image how indexes behave ?

thanks

martin_mueller · ‎10-31-2015

Assuming your snapshot restores the machine to the correct state, the indexes will be fine. To be on the safe side you may want to stop the indexer when making the snapshot, then you won't accidentally snapshot some in-flight data in a bad state. However, even if that happens, the damage would always be contained to that bucket.

PIETRO_CENTANNI · ‎11-03-2015

Thanks Martin for your answers

Yesterday I analyzed the problem. The sending dates is via forwarder and syslog come from port 514. From like you said you monitor all is complicated.

Interesting your suggestion about back up new buckets. I tried to stop indexer for 10 minutes and I see the behavior of the buckets. The folders hot_v1_nnn change in db_nnn and generate new hot_v1_xxx.
But is it then simply add this folder in directory relevant?
Thanks

martin_mueller · ‎11-03-2015

http://www.georgestarcher.com/splunk-success-with-syslog/

When manually copying buckets around you need to be careful to align the bucket IDs to avoid duplicates, so make sure you do that on a testing instance first or get someone who already has done that before.

PIETRO_CENTANNI · ‎11-02-2015

I was thinking if I can disable forwarding setting inputs.conf in and after I make to the snapshot , make the ugrade , I do various tests without the risk arrive That datas .

[splunktcp://9997]
connection_host = ip
disable = 1

At the End of the test I can REMOVE the disable and receive all date.
this is possible? this is a correct procedures?

martin_mueller · ‎11-02-2015

That would indeed stop forwarders from sending data. Assuming you're able to keep all monitored files around, and can queue all other data such as network sources then yeah, this might work.

As an alternative, in case of problems after the upgrade you could back up new buckets, restore the snapshot, and add in the new buckets from after the upgrade.

PIETRO_CENTANNI · ‎11-02-2015

Today I try to test and I tell you the result.
thanks

PIETRO_CENTANNI · ‎11-02-2015

I am sorry but this test is impossible Because there is the risk of losing dates .
I stop indexer before i make the snapshot , I make the upgrade and after I start by indexer .
If I turn back because there are problems and I copy the my snapshot I lose all the datas in the range time.

martin_mueller · ‎11-02-2015

You should be more specific in your question - a general question gets a general answer, a detailed question gets a detailed answer.

If you snapshot the indexer and let forwarders send data afterwards, that snapshot will not contain this new data. Restoring to the snapshot will restore the state at the time of snapshot, dropping all new data.

woodcock · ‎10-30-2015

Please restate with many more words and sample data with desired sample output.

snapshot search index

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024