What is the best way to migrate old data from a si...

responsys_cm · ‎07-01-2013

Is there any way to point my old Splunk server at the new cluster and have it forward all of my previously indexed events to the cluster so that they are evenly distributed across the nodes and can take advantage of replication?

Splunk support says no. They say I can sync my old indexes to a single node of the cluster, but they won't take advantage of replication. I can have my search head run distributed searches on the old Splunk server, but then my old data won't get to take advantage of the new hardware in the cluster.

Has anyone in the community figured out a smart way to do this? Is there no way to tell an old indexer to forward all of its indexes to a new cluster?

Thx.

Craig

arindam_sur · ‎05-29-2015

Hi,

I have similar trouble. I have my old data in an Indexer and I want to make this indexer as one the 2 peer nodes in the cluster. Once I introduce a master node to this cluster of old and new indexer, will the old data on the old indexer be replicated to the new one and get me search capabilities on both nodes for the old data?

Thanks,
Arindam

mloven_splunk · ‎07-01-2013

I'm going to have to go with Support on this one. If your retention time isn't terribly long, I'd just set the old server as a search peer of the new cluster. Once the indexes expire, decommission the old server. Otherwise, I'd go with their first suggestion and copy the indexes over.

What is the best way to migrate old data from a single Splunk server to a new cluster?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life