如何将整个索引数据从一台 Splunk 服务器迁移到另一台 Splunk 服务器
[英]How to migrate entire index data from one Splunk server to another Splunk server
问题描述
I have a Splunk server with index data for 650k events.
我有一个 Splunk 服务器,其中包含 650k 事件的索引数据。 I want to migrate the entire data from one instance to another new instance.我想将整个数据从一个实例迁移到另一个新实例。 I tried using a migration script with data field -27D@d but I can only migrate 50k data.我尝试使用带有数据字段 -27D@d 的迁移脚本,但我只能迁移 50k 数据。 -27D@d is the point from where initial data is available. -27D@d 是初始数据可用的起点。 Can you please help me here?你能帮我吗? Here's the code:这是代码:
import splunklib.client as client
import splunklib.results as results
import json
import requests
send_string = ""
service=client.connect(host="host1", port=8089, username="admin", password="xxxx")
rr = results.ResultsReader(service.jobs.export('search index=my_index latest=-27D@d' ))
for result in rr:
if isinstance(result, results.Message):
continue
elif isinstance(result, dict):
final = dict(result)
data = final['_raw']
send_string = json.dumps({"event" : data,"source" : "test"},ensure_ascii=False).encode('utf8')
url='http://host2:8088/services/collector'
authHeader = {'Authorization': 'Splunk 5fbxxxx'}
#Send data to Splunk
response = requests.post(url, headers=authHeader, data=send_string, verify=False)
if response.status_code == 200:
print("Successfully pushed the data to Splunk source")
else:
print("Failed to push the data to Splunk source")
2 个解决方案
解决方案1
0 2021-10-18 12:08:40
如果host2 上不存在索引my_index,则只需将目录$SPLUNK_DB/my_index 复制到host2,将my_index 添加到index.conf,然后重新启动Splunk。
解决方案2
0 2023-01-15 22:30:58
I managed to do this with the Splunk Docker image.我设法用 Splunk Docker 图像做到了这一点。 I imagine it's the same with a regular installation.我想这与常规安装相同。
Note: In this example, $SPLUNK_HOME === /opt/splunk注意:在此示例中, $SPLUNK_HOME === /opt/splunk
First I backed it up:首先我备份它:
mkdir splunk_backup
cd splunk_backup
# Back up index data
mkdir -p ./opt/splunk/var/lib/splunk
sudo docker cp $container:/opt/splunk/var/lib/splunk/defaultdb ./opt/splunk/var/lib/splunk
# Back up index configurations and dashboards
# - config is at /opt/splunk/etc/apps/search/local/indexes.conf
# - dashboards are at /opt/splunk/etc/apps/search/local/data/ui/views
mkdir -p ./opt/splunk/etc/apps/search
sudo docker cp $container:/opt/splunk/etc/apps/search/local ./opt/splunk/etc/apps/search
# Back up users and reports
mkdir -p ./opt/splunk/etc
sudo docker cp $container:/opt/splunk/etc/users ./opt/splunk/etc
Then I went to the new server, launched Splunk, and stopped it:然后我转到新服务器,启动 Splunk,然后停止它:
sudo docker run --env SPLUNK_START_ARGS="--accept-license" --env SPLUNK_PASSWORD="FILL_THIS_IN" -p 8000:8000 -p 8088:8088 -p 9997:9997 -d --restart unless-stopped splunk/splunk:latest
sudo docker ps # wait for it to say (healthy) then grab container ID
sudo docker stop $new_container
Then I restored it on the new server:然后我在新服务器上恢复了它:
cd splunk_backup
sudo docker cp ./opt/splunk/ $new_container:/opt
Then I started the new server back up:然后我启动了新服务器备份:
sudo docker start $new_container
As far as I can tell, all of my data, indices, users, reports, and dashboards were copied over successfully!据我所知,我的所有数据、索引、用户、报告和仪表板都已成功复制!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.