Deployment Architecture

How to split data from old indexer to new indexers.

brent89567
New Member

I have a setup right now where we have 1 indexer in our test environment and we are putting 2 new indexers in the production environment. I need to know if I move all the data from the old indexer and split it evenly between the new indexers, will I run into any errors on the two indexers?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ brent89567,
you should share more infos:

  • the new indexers are clustered or not?
  • if not clustered do you want that both the indexers receive all the logs or some indexes will be in Indexers1 and some others in Indexers2?

Anyway, if you have clustered indexers, it isn't possible to replicate old data, so old data can be copied in one indexers (in a different index) and the new data will be replicated between both of them; steps are:

  • stop all indexers,
  • copy indexes from old Indexers to one of the new ones using a different name (e.g. my_index will be my_old_index),
  • restart Splunk in the new Indexers,
  • put indexes.conf in master Node and push the configuration,
  • change all your searches to search in both the indexes (index=my_index OR index=my_old_index), a good idea is to use eventtypes in your searches so you have to change only the eventtype,
  • move addressing in Universal Forwarders to send logs to the new Indexers.

If instead you want to use stand-alone Indexers, you have to:

  • stop Splunk in all the three servers,
  • copy Indexes in one Indexer (eventually some indexes in Indexer1 ans some others in Indexer2),
  • copy indexes.conf in both the new Indexers,
  • restart the new Indexers,
  • move addressing in Universal Forwarders to send logs to the new Indexers.

Ciao.
Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

More information is needed.
Do you need to move the test data to production?
Are the indexers clustered in test or prod?
How much data is there?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...