Archive

Restore archive logs to make them searchable again

Explorer

HI!
I am using splunk enterprise 7.0.1 and I have installed it on my C drive.I have archived my logs on following location D:\archive.I have perform following steps to restore my logs but unable to to so.

1)I have run Following command( C:>xcopy D:\archive\db_1513683972_1613682334_0 %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\/s /e /v) which makes folder named %SPLUNK_HOME% on C drive contaning journal zip file.
2)After that I have run this command( C:\Program Files\Splunk\bin>splunk rebuild %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\db_1513683972_1613682334_0) that was successfully executed.
3)Then i have run this command by modifiying zero at the end to 1001 as studied somewhere to give it unique bucket id.(C:\%SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb>move db_1513683972_1613682334_0 db_1513683972_1613682334_1001)

Please help where i am wrong.I am stuck here from many days but unable to restore logs.

0 Karma

Motivator

Hey aqudoos,

You can refer the following doc:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Restorearchiveddata

You don't need to change the unique id and you need to restart splunk service after restoring data in thawed path.

Let me know if this helps!!

0 Karma

Explorer

HI deepashri_123
Thanks for answer!!
I just try another method.
1)I directly copied one of my archive db folder directly to thaweddb.
C:\Program Files\Splunk\var\lib\splunk\defaultdb\thaweddb\db_1513910393_1513952434_5
2)After that I run the splunkrebuild command as shown below.
C:>splunk rebuild programfiles\splunk\var\lib\splunk\defaultdb\thaweddb\db_1513910393_1513952434_5
3)But still i was unable to search the logs.
Please help.

0 Karma

Motivator

Did you restart after this?
Also check for any errors in internal logs

0 Karma

Explorer

Thanks for answer!

Yes i have restarted service after this and still not success.

One thing i was confused was that after copying my archive db folder in to thawed db residing under var/lib/splunk/defualtdb and then running splunk rebuild command on that db folder under thawed db,how can my archive logs will link to my hot folder of specific index so that it will be serachable again.

Please help.

0 Karma

Motivator

Hey aqudoos,

I think the problem is your data is restored in main index, if you want to add it in particular index your path should be this:
C:\Program Files\Splunk\var\lib\splunk\your_index\thaweddb\db_1513910393_1513952434_5

This should work!!
For confirmation check index=main your data should be available there.

0 Karma

Motivator

Did that help?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!