The scenario is the following: I work for a small company that installed Splunk initially for a small user base as a standalone deployment. The demand as expanded to multiple departments and we need to convert to a distributed deployment. The deployment would be one dedicated search head, and one indexer.
My question is would this work for a conversion process?
1: Enable Index Clustering on current standalone instance.
2: Make the current standalone instance as a master node.
3: Bring up new indexer as a peer node.
4: Replicate the data from standalone to new indexer
5: Make new indexer the master node
6: Convert current standalone to dedicated search head.
Is this a valid process?
Is there a reason, such as storage limitations, that you need to migrate the data off the existing stand-alone instance? The obvious easy path I see is to stand up the new server as a search head, and convert your existing instance into a an indexer.
The issue with your current process is that your existing indexed data buckets are not "clustered" buckets, and will not replicate.
More info at this link: http://docs.splunk.com/Documentation/Splunk/7.1.0/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...