I have a plan to migrate data from a single splunk indexer to two separate indexers, reconfiguring the production system from Solaris to RedHat in the process. I've done some testing and it looks like this will work, but need a sanity check. If there are flaws in what I'm proposing let me know... Thanks.
Current environment:
Splunk indexer / web
Phase 1
rsync -av --progress --stats --rsync-path /opt/sfw/bin/rsync splunk@oldsplunkserver:/opt/splunk/var/lib/splunk/defaultdb/db/db_*{1,3,5,7,9} /opt/splunk/var/lib/splunk/migrate1/colddb/
Phase 2
End result should be:
Hrrrm. It sounds overly complicated in my humble opinion, but it should work..
This is what I did:
This is a good read as well:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Moveanindex
Hrrrm. It sounds overly complicated in my humble opinion, but it should work..
This is what I did:
This is a good read as well:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Moveanindex
Thanks for the confirmation... I had already read the documentation and ran some tests on my own, so I was pretty confident already. My constraint in my situation is the limitation of the two servers. The current production system is going to be refreshed and changed from solaris to redhat, so I don't have the luxury of simply having two servers to move to right off.