To manually merge buckets from multiple legacy indexers onto one new indexer, I used these commands which work on RHEL7/8: 1. on the legacy indexers, in indexes.conf, set maxVolumeDataSizeMB=400 for the warm volume to force all buckets to roll to cold 2. on the legacy indexers, in /etc/sudoers add johndoe ALL=NOPASSWD:/usr/bin/rsync to enable passwordless sudo with rsync 3. on the new indexer, run this command to rysnc cold buckets from each legacy indexer to a subfolder on the new indexer: sudo rsync --delete --compress-level=0 -aPe ssh --rsync-path="sudo rsync" johndoe@192.168.1.108:/splunk_cold /splunk_cold/idx8 in the above case, 192.168.1.108 is the address for legacy indexer#8 4. on the new indexer, run this command to renumber the buckets from each indexer for i in /splunk_cold/idx8/*/colddb ; do echo $i ; cd $i ; ls ; for f in ` ls -rtd db_* `; do jj=` echo $f | cut -d "_" -f 4 `; kk=$(($jj + 8000)) ; ff=` echo $f | sed -e "s/_$jj\$/_$kk/" ` ; mv $f $ff ; done ; done in the above case, each bucket from indexer#8 with 3-digit id=xxx is changed to id=8xxx 5. on the new indexer, run this command to merge each subfolder to the parent folder cd /splunk_cold/idx8 ; 596 find -type d -exec mkdir -vp "/splunk_cold"/{} \; -or -exec mv -nv {} "/splunk_cold"/{} \;
... View more