Splunk Search

snapshot search index

PIETRO_CENTANNI
New Member

Hi

I have a server that works to search-haed and a by search-index . They're virtual machines and before upgrade to search-index I wanted to rate a snap to image. if I comeback with the server by image how indexes behave ?

thanks

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming your snapshot restores the machine to the correct state, the indexes will be fine. To be on the safe side you may want to stop the indexer when making the snapshot, then you won't accidentally snapshot some in-flight data in a bad state. However, even if that happens, the damage would always be contained to that bucket.

PIETRO_CENTANNI
New Member

Thanks Martin for your answers

Yesterday I analyzed the problem. The sending dates is via forwarder and syslog come from port 514. From like you said you monitor all is complicated.

Interesting your suggestion about back up new buckets. I tried to stop indexer for 10 minutes and I see the behavior of the buckets. The folders hot_v1_nnn change in db_nnn and generate new hot_v1_xxx.
But is it then simply add this folder in directory relevant?
Thanks

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

http://www.georgestarcher.com/splunk-success-with-syslog/

When manually copying buckets around you need to be careful to align the bucket IDs to avoid duplicates, so make sure you do that on a testing instance first or get someone who already has done that before.

0 Karma

PIETRO_CENTANNI
New Member

I was thinking if I can disable forwarding setting inputs.conf in and after I make to the snapshot , make the ugrade , I do various tests without the risk arrive That datas .

[splunktcp://9997]
connection_host = ip
disable = 1

At the End of the test I can REMOVE the disable and receive all date.
this is possible? this is a correct procedures?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That would indeed stop forwarders from sending data. Assuming you're able to keep all monitored files around, and can queue all other data such as network sources then yeah, this might work.

As an alternative, in case of problems after the upgrade you could back up new buckets, restore the snapshot, and add in the new buckets from after the upgrade.

0 Karma

PIETRO_CENTANNI
New Member

Today I try to test and I tell you the result.
thanks

0 Karma

PIETRO_CENTANNI
New Member

I am sorry but this test is impossible Because there is the risk of losing dates .
I stop indexer before i make the snapshot , I make the upgrade and after I start by indexer .
If I turn back because there are problems and I copy the my snapshot I lose all the datas in the range time.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You should be more specific in your question - a general question gets a general answer, a detailed question gets a detailed answer.

If you snapshot the indexer and let forwarders send data afterwards, that snapshot will not contain this new data. Restoring to the snapshot will restore the state at the time of snapshot, dropping all new data.

0 Karma

woodcock
Esteemed Legend

Please restate with many more words and sample data with desired sample output.

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...