Deployment Architecture

Can you trigger index replication for a read-only index?

conner9
Path Finder

I've added a new indexer to the cluster and I would like to force replication of some older archived indexes. I'm curious if there's a way to trigger Splunk to replicate the indexes, since they are not being written to anymore, or is it better for me to just copy the index files over?

Also, any best practices on configuration for an archived index to ensure it's not wasting resources.

Thanks in advance,

David

0 Karma
1 Solution

Jeremiah
Motivator

If its an older archive that was not generated from an active cluster member, there's not much you can do to force it to replicate. Index buckets created pre-clustering aren't in the right format to be replicated. If you want to, you could distribute the buckets to other cluster members, but that won't give you redundancy, it will just distribute the search load. You have to make sure to avoid bucket numbering collisions as well as duplicating buckets across the cluster (or you'll see duplicate events in your search).

View solution in original post

Jeremiah
Motivator

If its an older archive that was not generated from an active cluster member, there's not much you can do to force it to replicate. Index buckets created pre-clustering aren't in the right format to be replicated. If you want to, you could distribute the buckets to other cluster members, but that won't give you redundancy, it will just distribute the search load. You have to make sure to avoid bucket numbering collisions as well as duplicating buckets across the cluster (or you'll see duplicate events in your search).

conner9
Path Finder

That's what I thought, thanks so much for confirming.

0 Karma

Jeremiah
Motivator

Could you clarify what you mean by "archived index"?

0 Karma

conner9
Path Finder

Sorry, my definition is older data that was moved from old version of splunk, configured to be read from but no longer written to. the readonly option is set against the index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...