Try this script and that should work fine https://github.com/tuwid/splunk_frozen_db_restore
root@XXXXXX:~# python splunk_frozen_db_restore.py We're using the default index path, for custom indexes please adjust the path variable here Enter index:winevents_security Enter start date: (eg 30.12.2015): 31.12.2015 Enter end date: (eg 30.12.2015): 01.01.2016 [+] Searching dates on index winevents_security in /opt/splunk/var/lib/splunk/winevents_security/frozendb/ 1451516400 1451602800 Got 313 elements from /opt/splunk/var/lib/splunk/winevents_security/frozendb/ Found : db_1452350660_1451453107_329 [+] Copying databases into thaweddb.. cp -R /opt/splunk/var/lib/splunk/winevents_security/frozendb/db_1452350660_1451453107_329 /opt/splunk/var/lib/splunk/winevents_security/thaweddb/ [+] Rebuilding DBs splunkd fsck repair --one-bucket --include-hots --bucket-path=/opt/splunk/var/lib/splunk/winevents_security/thaweddb/db_1452350660_1451453107_329 --log-to--splunkd-log root@XXXXXX:~#
I tried this method many times, but can not search event Jan2011 -July 2011.
(the strange was it can search 2010 data) What's wrong ?
my index.conf was set as
coldToFrozenScript = /opt/splunk/bin/compressedExport.sh
homePath = /data/splunk/juniper/db
coldPath = /data/splunk/juniper/colddb
thawedPath = /data/splunk/juniper/thaweddb
frozenTimePeriodInSecs = 31536000
I have archived logs of one of my index named OS the index structure is as followed. I have followed the following steps to restore archived logs back to the Thaweddb bucket in os index but still icould not able to search those logs in that time fram.
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb
Recovery Steps followed:
Copy your archive bucket to a temporary location in the thawed directory:
cp -r db_1181756465_1162600547_0 $SPLUNK_HOME/var/lib/splunk/os/thaweddb/temp_db_1181756465_1162600547_0
Execute the rebuild command on the temporary bucket to rebuild the Splunk indexes and associated files:
splunk rebuild $SPLUNK_HOME/var/lib/splunk/os/thaweddb/temp_db_1181756465_1162600547_0
Rename the temporary bucket to something that Splunk will recognize:
cd $SPLUNK_HOME/var/lib/splunk/os/thaweddb/mv temp_db_1181756465_1162600547_0 db_1181756465_1162600547_1001