- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to migrate summary indexes from Spl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is probably a longshot, but is it possible to create a new summary index in our splunk 4 cluster with data run from a backfill script, the past year? Once the backfill is complete, is it possible to then migrate this splunk 4 summary index over to our splunk 6 indexers? I recall it's possible to migrate old indexes over but you lose the replication ability on that index. If we have the summary data migrated, that would be great. It would be fine if things like replication, report acceleration do not work with the migrated data.
Also, we have more indexers in the splunk 4 cluster vs the splunk 6 cluster. What would be the best way to merge two old splunk 4 summary indexes into one splunk 6 summary index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).
Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...
Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html
Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing
Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)
As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).
Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...
Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html
Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing
Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)
As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
