Archive
Highlighted

Restore archive logs to make them searchable again

Explorer

HI!
I am using splunk enterprise 7.0.1 and I have installed it on my C drive.I have archived my logs on following location D:\archive.I have perform following steps to restore my logs but unable to to so.

1)I have run Following command( C:>xcopy D:\archive\db151368397216136823340 %SPLUNKHOME%\var\lib\splunk\defaultdb\thaweddb\/s /e /v) which makes folder named %SPLUNKHOME% on C drive contaning journal zip file.
2)After that I have run this command( **C:\Program Files\Splunk\bin>splunk rebuild %SPLUNK
HOME%\var\lib\splunk\defaultdb\thaweddb\db151368397216136823340) that was successfully executed.
3)Then i have run this command by modifiying zero at the end to 1001 as studied somewhere to give it unique bucket id.(
C:\%SPLUNK
HOME%\var\lib\splunk\defaultdb\thaweddb>move db151368397216136823340 db151368397216136823341001**)

Please help where i am wrong.I am stuck here from many days but unable to restore logs.

0 Karma
Highlighted

Re: Restore archive logs to make them searchable again

Motivator

Hey aqudoos,

You can refer the following doc:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Restorearchiveddata

You don't need to change the unique id and you need to restart splunk service after restoring data in thawed path.

Let me know if this helps!!

0 Karma
Highlighted

Re: Restore archive logs to make them searchable again

Explorer

HI deepashri123
Thanks for answer!!
I just try another method.
1)I directly copied one of my archive db folder directly to thaweddb.
**C:\Program Files\Splunk\var\lib\splunk\defaultdb\thaweddb\db
151391039315139524345**
2)After that I run the splunkrebuild command as shown below.
C:>splunk rebuild programfiles\splunk\var\lib\splunk\defaultdb\thaweddb\db15139103931513952434_5
3)But still i was unable to search the logs.
Please help.

0 Karma
Highlighted

Re: Restore archive logs to make them searchable again

Motivator

Did you restart after this?
Also check for any errors in internal logs

0 Karma
Highlighted

Re: Restore archive logs to make them searchable again

Explorer

Thanks for answer!

Yes i have restarted service after this and still not success.

One thing i was confused was that after copying my archive db folder in to thawed db residing under var/lib/splunk/defualtdb and then running splunk rebuild command on that db folder under thawed db,how can my archive logs will link to my hot folder of specific index so that it will be serachable again.

Please help.

0 Karma
Highlighted

Re: Restore archive logs to make them searchable again

Motivator

Hey aqudoos,

I think the problem is your data is restored in main index, if you want to add it in particular index your path should be this:
C:\Program Files\Splunk\var\lib\splunk\yourindex\thaweddb\db151391039315139524345

This should work!!
For confirmation check index=main your data should be available there.

0 Karma
Highlighted

Re: Restore archive logs to make them searchable again

Motivator

Did that help?

0 Karma