Restore archived data by moving the archive into the thawed directory

ssingh5 — Mon, 28 Sep 2020 11:26:18 GMT

Hi have followed the following Splunk Restore archived data, but coudnot able to searched the restored data. Can any one please help me, is there any ohter way to restore archived data back into splunk.

Restore archived data by moving the archive into the thawed directory,

$SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb. You can restore an archive to a
Splunk server regardless of operating system with some restrictions -- data generated on 64bit
systems is not likely to work well on 32 bit systems, and data cannot be moved from PowerPC or
Sparc systems to x86 or x86-64 systems, and vice versa. Data in thaweddb is not subject to the
server's index aging scheme (hot > warm> cold > frozen). You can put old archived data in thawed
for as long as you need. When the data is no longer needed, simply delete it or move it out of thawed.
The details of how to restore archived data depends on how it was archived. You can restore
archived data to any index or instance of Splunk, with the caveat that you do not introduce bucket ID
conflicts to your index. Archived data does not need to be restored to its pre-archival location.

**nix users*

Here is an example of safely moving a previously saved archive bucket to thawed.
1. Copy your archive bucket to the thawed directory.
# cp -r db_1181756465_1162600547_0 $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/temporary-db_255
Note: If the archived db was compressed, be sure to uncompress the contents in the temporary
directory.
2. Rename the directory you just copied into the thawed directory to something that Splunk will
recognize:

cd $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/

mv temporary-db_1181756465_1162600547_0 db_1181756465_1162600547_0

Note: This examples assumes that the bucket id '0' does not conflict with any other bucket in the
main (defaultdb) index. If it does, you will have to move the bucket to a non-conflicting bucket ID.
3. Refresh the manifests:

cd $SPLUNK_HOME/bin

./splunk login

./splunk _internal call /data/indexes/main/rebuild-metadata-and-manifests

After a few moments, the contents of your newly thawed buckets should be searchable again.

Re: Restore archived data by moving the archive into the thawed directory

arber — Thu, 21 Apr 2016 14:03:58 GMT

Save yourself time and use this script

https://github.com/tuwid/splunk_frozen_db_restore

like below :

root@XXXXXX:~# python splunk_frozen_db_restore.py
We're using the default index path, for custom indexes please adjust the path variable here
Enter index:winevents_security
Enter start date: (eg 30.12.2015): 31.12.2015
Enter end date: (eg 30.12.2015): 01.01.2016
[+] Searching dates on index winevents_security
in /opt/splunk/var/lib/splunk/winevents_security/frozendb/
1451516400
1451602800
Got 313 elements from /opt/splunk/var/lib/splunk/winevents_security/frozendb/
Found : db_1452350660_1451453107_329
[+] Copying databases into thaweddb..
cp -R /opt/splunk/var/lib/splunk/winevents_security/frozendb/db_1452350660_1451453107_329 /opt/splunk/var/lib/splunk/winevents_security/thaweddb/
[+] Rebuilding DBs
splunkd fsck repair --one-bucket --include-hots --bucket-path=/opt/splunk/var/lib/splunk/winevents_security/thaweddb/db_1452350660_1451453107_329 --log-to--splunkd-log
root@XXXXXX:~#