https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262590#M50378 <P>Are the indexers in the same cluster, different clusters, one is standalone, new indexer is in a cluster, both are standalone?</P> <P>Whats the setup? This is a very tricky operation IMHO.</P> Tue, 24 May 2016 13:09:12 GMT jkat54 2016-05-24T13:09:12Z https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262589#M50377 <P>For example, if I needed the logs dated from January 1, 2016 - January 31, 2016 moved to a different indexer. How can this be achieved?</P> Tue, 24 May 2016 12:55:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262589#M50377 cmcdole 2016-05-24T12:55:07Z https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262590#M50378 <P>Are the indexers in the same cluster, different clusters, one is standalone, new indexer is in a cluster, both are standalone?</P> <P>Whats the setup? This is a very tricky operation IMHO.</P> Tue, 24 May 2016 13:09:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262590#M50378 jkat54 2016-05-24T13:09:12Z https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262591#M50379 <P>Both the indexers are standalone.</P> Tue, 24 May 2016 13:14:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262591#M50379 cmcdole 2016-05-24T13:14:01Z https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262592#M50380 <P>Ok thanks... it will take a moment+ for me to type the answer.</P> Tue, 24 May 2016 13:27:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262592#M50380 jkat54 2016-05-24T13:27:04Z https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262593#M50381 <P>Easiest method is to run your search that considers that time frame, table _raw, then export it and import it. </P> <P>Of course the export has a default limit of 10k events in csv, etc... </P> <P>Another method is a bit more barbaric and probably wont get exact dates, but you can copy index buckets from one server to the other, and then using the delete command, you can trim it to the exact data you want. Bonus to this is there is no license hit. Drawback is that you'll have to look through the index manifest files to find the names of the buckets you want to move. The manifests have date ranges and event counts of each bucket so it's fairly straightforward once you locate them:</P> <P>C:\Program Files\Splunk\var\lib\splunk\defaultdb\db.bucketManifest &lt;- for example</P> Tue, 24 May 2016 13:32:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262593#M50381 jkat54 2016-05-24T13:32:27Z https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262594#M50382 <P>Thank you for the fast replies. I will take a look at this and let you know if that does it.</P> Tue, 24 May 2016 13:37:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-a-specific-time-period-of-logs-be-recovered-from-one/m-p/262594#M50382 cmcdole 2016-05-24T13:37:12Z