Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a cluster with an existing indexer without losing its data?

janot
New Member
‎10-16-2014 09:39 AM

Hello,

I have checked all the Splunk documentation and I cannot find any answer to my question (since I think I have a specific use case). I would be very glad if you can help me.

I currently have a Splunk Indexer in v6 which has indexed data for many months now.
Is it possible to create a cluster :
- based on my existing Indexer (node 1)
- by adding a new Indexer (node 2)
- without losing my current data.

Thank you in advance for your help !

Tags (2)
0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎10-20-2014 12:10 PM

Hello. To your point, there is not a recommendation or a specific procedure I can find that takes one existing Splunk indexer and makes a cluster out of it.

Why? That would require taking the known good and functioning production instance and putting it through a major configuration change without a back out option. Migrating an indexer to a cluster node is a one-way process.

Instead, this is a perfect opportunity to roll a full cluster, see it stabilize, learn how to administer it, and get comfortable with the changes to the app distribution process before making major changes to the data collection infrastructure. The existing instance continues working and the users are not impacted. Only after the forwarders/data collection is flipped over to the new cluster do you need to present the old data for searching.

Reply

ekost
Splunk Employee
Splunk Employee
‎10-16-2014 12:17 PM

Yes, you can add a non-clustered indexer to cluster and have the unreplicated data searchable on 6.x versions of Splunk Enterprise. There is a lot to read on the topic of clusters, but you can begin with the topic: Migrate non-clustered indexers to a clustered environment to validate the use case. It's best if there's a working cluster first, and the other indexer is added to the working cluster.

Reply

janot
New Member
‎10-17-2014 01:41 AM

Thank you ekost for your answer.
Unfortunately I am still a little bit confused since my usecase is a little bit different of which exposed in your link.

My usecase is not really adding an Indexer to an existing cluster, but creating a cluster by using my current standalone Indexer and by adding a new Indexer + a Master Node. So it is more a cluster creation based on an existing standalone Splunk architecture than a cluster extension.

I will be very grateful if you could clarify this particular point.

Thank you again.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...