- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Re: Export Index Data from Production Splunk and I...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Export Index Data from Production Splunk and Import intoTest Instance of Splunk
Morning All,
I would like to export index data from my Production instance of Splunk and import that same index data into a Test instance of Splunk for the sole purpose of evaluating apps, refining searches and education purposes. The Test instance will not need to receive any further data, ideally it will exist on a standalone server and I don’t mind exactly how much data I have in the index (perhaps 60 days) as the sources have been consistsnet for some time now. If I can do something as simple as copy some cold index files that approach works too.
I have reviewed the wiki article ”How to move an index from one Splunk installation to another” (http://wiki.splunk.com/Community:MoveIndexes) and it appears I only need to follow steps 2 and 3. Can someone please offer some advise as to whether this is the best approach to achieve my goals of evaluating and tuning potential apps, refining searches and education purposes.
Thanks,
Adam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this approach can be used in cluster setup? because the data is pretty much sharded to different hosts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep thats pretty much it.
Don't copy the .bucketmanifest and splunk will re-read the buckets and automatically re-write it.
You can take a subset of the data by just taking which ever buckets you want (based on the marked epoch times) from the cold or warm storage. As its a new test instance you won't have to rename id's or anything like that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ensure that your user/role has access to the index in question. Go to Manager -> Access Controls -> Roles -> <your role>.
At the bottom you'll find two settings for access rights, and which indexes are searched by default.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the response.
I have tried adding a subset of the data by copying a single folder from last month (based on epoch time) however when I restart Splunk the data is not picked or indexed. Are you able to please elaborate upon your instructions so I can examine why it isnt working? As a side note the data is from a index called domain as oppose to the default index of main.
Thanks,
Adam
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
