Will be there any log data loss when switching ind...

maniu1609 · ‎03-09-2018

Please consider that we have a ten lines of events in a web server and We are collecting logs using universal forwarder and sending them to indexerA.

Now IndexerA indexed four lines of events. Now I went to web server and changed the indexer details in output.conf file so that remaining events will be indexed at IndexerB for example. Now remaining 6 lines of events will be indexed at IndexerB.

Again I changed indexer details in output.conf and updated indexer as IndexerA.

So my question here is, The remaining 6 lines of events that are not indexed at IndexerA will be indexed in IndexerA or not?

skoelpin · ‎03-09-2018

The data lives on the indexers, so if you have 2 indexers and one indexer receives some data while the other indexers receives other data then your search head will need to search both indexers for you to get the complete dataset. So it doesn't matter what indexer gets the data, aslong as both indexers are highly available so the data can be searched.

Here's an example

IndexerA = 4 lines of data
IndexerB = 6 lines of data

If you take indexerA offline and your search head can only search IndexerB, you will only see 6 lines of data. If you bring IndexerA back up then your search head can search both indexers and 10 lines will be returned.

If you cluster your indexers then this will change. If you take IndexerA offline, then your search head will query only indexerB and see the full 10 lines of data. Indexer clustering requires a number of total copies and searchable copies. In this case with 2 indexers, you would probably set 2 total copies with 1 searchable copy on each indexer. This means that when an indexer goes down, it will turn that non-searchable copy into a searchable copy allowing you to search all your data

tiagofbmm · ‎03-09-2018

What do you mean "lines of events"?

If you mean you have 10 sources of events that you are sending to the Indexers, once they arrive to one of them (say IndexerA), then they will never be in IndexerB if you change the outputs.conf after the events have been indexed in IndexerA.

So if you were sending 4 sources to IndexerA, then added 6 sources to IndexerB and later changed the outputs.conf to target the 6 sources to IndexerA, then the events that were indexed between your outputs.conf changes will reside on IndexerB only.

After you changed the outputs.conf to send the 6 sources to IndexerA, all the 10 sources will be on IndexerA, except for that period of time where you were sending to IndexerB.

Let me know if this clarified your question.

maniu1609 · ‎03-09-2018

just 10 events and each event has its own unique timestamp as below

09/03/2018 10:01:00AM aaaaaaa
09/03/2018 10:02:00AM bbbbbb
09/03/2018 10:03:00AM ccccccc
09/03/2018 10:04:00AM dddddd
09/03/2018 10:05:00AM eeeeee
09/03/2018 10:06:00AM ffffffffff
09/03/2018 10:07:00AM gggggg
09/03/2018 10:08:00AM hhhhhh
09/03/2018 10:09:00AM iiiiiiiiiiiii
09/03/2018 10:10:00AM jjjjjjjjjjjjjj

tiagofbmm · ‎03-09-2018

Ok understood so my answer remains valid

maniu1609 · ‎03-09-2018

The 6 lines indexed at indexerB will be again indexed at indexerA?

tiagofbmm · ‎03-09-2018

No, like I said, everything will be on indexerA except the ones between your changes in outputs.conf.

So the lines from indexerB will never be copied or moved or returned to indexerA.

I'm assuming you are saying 10 lines but you have many more lines. If you really made a mistake and need to get those events from indexerB to indexerA, you would need to move those buckets on the indexerB to indexerA and make sure no collision occurs with bucket IDs.

Will be there any log data loss when switching indexers?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life