Hi all,
consider the following scenario: there are two splunk infrastructures. The first (A) collects data from several forwarders and forwards a subset of this data to a second indexer (B). When B receives the data forwarded from A, it performs several index-time transforms (metadata changes like index. source, sourcetype, host) based on data from the received flow (who was the original host, source etc).
A lost connectivity with B for some days for network related issues and now B has a gap in forwarded data. Is there a way to fill this gap in some way? Consider that A is an indexer too, so it has all the data stored. Unfortunately, all the methods I tried (dump, exporttool, moving indexes) do not allow B to reprocess the data using the same index-time rules because the source data IS different (different source, different host etc).
I don't care if the imported data will count on indexed daily volume, as I can create chunks and import some each day.
If someone already faced this issue or has some suggestion, I would really appreciate.
Thank you
Mario
↧