I copied the /opt/splunk directory before upgrading to 6.0. Now I find that none of the forwarders work. They are not forwarding the transactions to 6.0. We don't have the time to send the 6.0 forwarder to the laptops to see if they will work, so we need to restore. What is the procedure? Just delete the /opt/splunk 6.0 structure and copy back the old 5.x structure to /opt/splunk?
First you will want to roll everything from Hot to warm. Then delete the hot buckets. When you restart Splunk after the rollback, it will create new hot buckets.
This is the command for it, just replace the index name with the name of your index(es) and your username/pw.
splunk internal call /data/indexes/<indexname>/roll-hot-buckets –auth