Copy the indexed bucket to another index path

splunker12er · ‎06-29-2014

Is it possible for me to copy the specific Index bucket to another Index path,

Eg:
I want to copy the indexed data from index name 'My-Index-Name-1' to 'My-Index-Name-2'
Just by cut and copy the bucket to new index path, will work ?

Search query: (will this work , after copy ?)

index=My-Index-Name-2 | table _raw

Details:

Index Name ->My-Index-Name-1
State -> Warm
Path -> /opt/splunk/var/lib/splunk/My-Index-Name-1/db/db_1403947472_1403779602_8

lguinn2 · ‎06-29-2014

This is risky to do, as each bucket in an index has an identifier that is unique to that index. If you copy a bucket to a different index, you will almost certainly cause a collision of bucket ids, which will cause errors.

It is safer to simply re-index the data, placing in the index where you want it to go.

If you have a deep understanding of how buckets and indexes are organized, you might consider how you could use tools like rebuilding buckets. But I am sure that Splunk Support would recommend against it.

splunker12er · ‎06-30-2014

I do need carefully select the selective Warm dbs and move to the new index folder , and check for bucket_id clash. if any I do need to modify the range accordingly and run the below command :

 ./splunk _internal call /data/indexes/MY-INDX-NAME/rebuild-metadata-and-manifests

doing so, I can be successful in moving the indexed data from one index to another index. (my case i want the data to be searched in the other index name)
Am i fine with the understanding? please correct me , if i am wrong.

splunker12er · ‎06-29-2014

whether the index name also stored along with the indexed data ? Or it depends on the path where the index resides ?

Copy the indexed bucket to another index path

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes