I have been tasked with the following and am really looking for a recipe to accomplish my task. I need to move the entire contents of an index from an old Splunk indexer, (running release 5.5), to a new indexer, (running release 6.3). The index name already exists on the new Splunk indexer and has been collecting data for the past few months. The data in the old indexer runs from about a year ago to current. Basically I need to merge the old data with the new data.
Working from the Splunk documents I have about half of the steps;
Step 1:
A. On the legacy Splunk instance, create the target directory and make sure it has write permissions for the user Splunk Enterprise runs as. For example, if Splunk Enterprise runs as user "splunk", give it ownership of the directory:
mkdir /foo/bar
chown splunk /foo/bar/
B. When the new index home is ready, stop the indexer. Navigate to the $SPLUNK_HOME/bin/ directory and run this command:
splunk stop
C. Copy the existing index file system to its new home:
cp -rp $SPLUNK_DB/ /foo/bar/
Step 2:
A. Copy the directory to the new server.
Step 3:
A. ????
As you can see, I'm missing all the steps on how to add the data to the existing 6.3 index under the same name. If someone can let me know how to do that, or point me to where I can find that information, I'd really appreciate it.
↧