I know this is probably a longshot, but is it possible to create a new summary index in our splunk 4 cluster with data run from a backfill script, the past year? Once the backfill is complete, is it possible to then migrate this splunk 4 summary index over to our splunk 6 indexers? I recall it's possible to migrate old indexes over but you lose the replication ability on that index. If we have the summary data migrated, that would be great. It would be fine if things like replication, report acceleration do not work with the migrated data.
Also, we have more indexers in the splunk 4 cluster vs the splunk 6 cluster. What would be the best way to merge two old splunk 4 summary indexes into one splunk 6 summary index?
In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).
Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...
Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html
Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing
Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)
As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).
In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).
Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...
Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html
Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing
Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)
As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).