move single index to another indexer using replica...

mfrost8 · ‎03-12-2014

I see the whole "how do I move an index from one indexer to another" question has been asked before. I see there's even a wiki entry about it. However, it looks like those are all relatively old questions/answers. I'm pretty sure those all pre-date Splunk 6.

I was curious if perhaps there's some newer method to copy an index that might involve index replication of some sort nowadays? The amount of data I have to move is fairly large and I have to move it across a WAN. It's actually an index that's auto-loadbalanced on two servers in one datacenter that I'd want to move to two other servers in another datacenter. I thought it would sure be handy if I could do something like turn on replication, let that data sync behind the scenes for a week say, then just turn the indexes off on the current servers and be done with it.

I don't suppose there is such a thing with Splunk 6? If not, then I assume the answer is still what's in the wiki.

Thanks

martin_mueller · ‎03-12-2014

Index replication in the Splunk 5+ cluster sense doesn't replicate old buckets, and often isn't a good idea over a WAN anyway.

I'd set up a rate-limited rsync to copy over cold and warm buckets, grabbing new warm buckets once they stopped being hot. Once that's moved everything except currently hot buckets you can stop indexing on the old machines, move over the remaining buckets, and start indexing on the new machines - assuming you want to switch rather than just replicate.

move single index to another indexer using replication?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases