Refine your search:

Advice for migrating to new hardware?

2

I'm in the process of migrating to new hardware for my indexers. The easiest way to do this would be:

  1. Setup new indexer
  2. Rsync var/lib/splunk (can I omit _internal or any other indexes?)
  3. roll all indexes to warm
  4. rsync again
  5. Update DNS entries to point to the new host

There will be a small amount of data loss during this transition. I've also thought about converting my indexer to a forwarder, cutting the DNS entries over, and then rsyncing afterward (being very careful not to conflict with the new data).

Any success stories on migrating to new hardware?

asked 02 Apr '10, 19:03

oreoshake's gravatar image

oreoshake
5101115
accept rate: 31%

2 Answers:
oldestnewestmost voted
3

Here's a rough document I wrote around this topic, but it's more about the configuration data and being sure it will work in the new environment, rather than the live handoff: http://www.splunk.com/wiki/Deploy:Migrating_a_Splunk_Install

When you rsync you might want to omit traversing the hot buckets, as you could end up doing a large amount of I/O for temporary files, ie. transferring the same data many times.

I recommend the hulahoop approach of parallel installs. It gives you much more flexibility to deal with problems and ensure correctness. Once you have your parallel install proven to work nicely, you can run clean eventdata on it, and begin bringing data over from your old system.

You can merge the indexes, so long as you are sure to cut it off around the time that you brought up the new indexer, and avoid id collisions. I wrote a script in an attempt to ease the merging of indexes (handle the id collisions), but it isn't publically facing yet. It's not a hard job, just renaming the directories so the third number doesn't collide.

link

answered 05 Apr '10, 19:27

jrodman's gravatar image

jrodman ♦
5.8k2515
accept rate: 42%

2

Hi Neil, our general recommendation is to have Splunk on the new and old hardware operating in parallel during the migration. You can either split your data streams to both indexers or have the existing Splunk server index and forward to the other. Once you've verified the new indexer is running as expected, then you can make the switch to direct data only to the new indexer and retire the old one. This way data loss is less of a risk, and you have the chance to make changes to the new environment without affecting the existing production environment. This is the approach we've taken to migrate many production environments.

link

answered 04 Apr '10, 18:13

hulahoop's gravatar image

hulahoop ♦
2.5k3239
accept rate: 40%

That sounds like a good strategy, I guess I would just sync everything except the hot buckets on the old server? Assuming no new hot buckets created after the manual roll happen to roll to warm during the transition period.

(05 Apr '10, 16:29) oreoshake
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×97
×21

Asked: 02 Apr '10, 19:03

Seen: 955 times

Last updated: 05 Apr '10, 19:27

Related questions

What kind of hardware that Splunk able to retrieve hardware serial number?

Splunk Hardware Sizing

Recommended hardware requirements for a Splunk Search Head instance?

Deployment server hardware configurations

How can I measure I/O on my Splunk hardware?

concurrent users and hardware scaling

Hardware vs. software RAID

Multi indexer / mixed hardware question

What sort of hardware should I use for my splunk install?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.