- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Add new indexers, keeping old for historical
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an indexer challenge that was hoping to get help with. We have 4 indexers with a significant amount of historical data. We are adding 4 new indexers with significantly more resources to overcome performance problems. Is it possible to do the following and if so what would be the best way to address this?
- Write all new events to the 4 new indexers
- Keep the 4 old indexers online and searchable, but do not write new events to these indexers
- Search is possible against all 8 indexers
- NO replication between the 4 old, and 4 new indexers. Only replication within their group.
Thanks in advance for the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is quite simple.
You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is quite simple.
You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured as much, but asking never hurt (learn from somebody else, before causing bigger problems). Regarding replication, what is to keep the old indexers from replicating with the new? I do not want the new indexers to know about the old indexed events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to to edit cluster configuration.
At the moment i haven't here a replication environment, but in my notes i have a note that you can just edit the cluster config to replace the old with the new ones.
But I suggest you give the old one a new site id and using for the new ones the old site id.
the parameter -site_replication_factor does the the magic with the replication.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks... Found that same link as well a few minutes ago and agree that the answer is to create a new site, and search against both.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
