bcc/Fix-SplunkBuckets.ps1

## Fix-SplunkBuckets.ps1
# Used this to merge buckets from a cluster that was being deprecated into a single node for archive purposes.
# You can leave the node GUID, but the IDs do need to be unique. It's not pretty but it works.
#
# 0. Stop splunk
# 1. Copy {index}/db/db_* directories from each indexer (you can ignore the rb_ ones, those are replicated buckets). On windows, this works well over RDP: robocopy "\\tsclient\D\Splunk\var\lib\splunk" f:\indexes /MIR /XD "rb_*" /XD "hot_*" /XD "GlobalMetaData"
# 2. Add missing indexes to etc/system/local/indexes.conf
# 3. Run this script in the db directory for any index with conflicting bucket IDs (probably all of them that you've messed with)
# 4. If the internal indexes are fine and splunk starts (if not, check splunkd.log), check the index list for any other disabled indexes and enable them. This search will find any further conflicts: index="_internal" "id conflicts"
# 5. You might also need to handle colddb - easiest thing is to bump $id to a safe value (greater than number of buckets in db) and rerun.


$dirs = get-childitem |sort-object -Property name | where {$_.Name -match '^db_' }

$id = 0

$indexers = @{}
$dirs | % {
    $components = $_.Name -split '_'
    $indexers[$components[4]]++
}

foreach ($indexer in $indexers.Keys) {

   $indexer

   $dirs | % {

       $components = $_.Name -split '_'

       if ($components[4] -eq $indexer) {

           $from  = $components -join '_'
           $components[3] = $id
           $to  = $components -join '_'
           rename-item -Path $from -newname $to

           $id++
       }

   }
}
	# Used this to merge buckets from a cluster that was being deprecated into a single node for archive purposes.
	# You can leave the node GUID, but the IDs do need to be unique. It's not pretty but it works.
	#
	# 0. Stop splunk
	# 1. Copy {index}/db/db_* directories from each indexer (you can ignore the rb_ ones, those are replicated buckets). On windows, this works well over RDP: robocopy "\\tsclient\D\Splunk\var\lib\splunk" f:\indexes /MIR /XD "rb_" /XD "hot_" /XD "GlobalMetaData"
	# 2. Add missing indexes to etc/system/local/indexes.conf
	# 3. Run this script in the db directory for any index with conflicting bucket IDs (probably all of them that you've messed with)
	# 4. If the internal indexes are fine and splunk starts (if not, check splunkd.log), check the index list for any other disabled indexes and enable them. This search will find any further conflicts: index="_internal" "id conflicts"
	# 5. You might also need to handle colddb - easiest thing is to bump $id to a safe value (greater than number of buckets in db) and rerun.


	$dirs = get-childitem \|sort-object -Property name \| where {$_.Name -match '^db_' }

	$id = 0

	$indexers = @{}
	$dirs \| % {
	$components = $_.Name -split '_'
	$indexers[$components[4]]++
	}

	foreach ($indexer in $indexers.Keys) {

	$indexer

	$dirs \| % {

	$components = $_.Name -split '_'

	if ($components[4] -eq $indexer) {

	$from = $components -join '_'
	$components[3] = $id
	$to = $components -join '_'
	rename-item -Path $from -newname $to

	$id++
	}

	}
	}