Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

After reinstalling Splunk without backing anything up, is there a way to recover my indexed logs?

cstute
New Member
‎06-22-2016 10:13 AM

Hello,

I was having an issue with Splunk where I made one small change to a config file to disable weak cipher suites, and after the change, I couldn't access the web interface, and couldn't start/restart the splunkd service, even after changing the config back to how it originally was. Without a thought in my head, I uninstalled Splunk, rebooted, and reinstalled Splunk.

After doing so, Splunk was running as if it were a brand new install, and none of my logs are there anymore.

Is there any possible way to recover my logs now that I have screwed everything up?

Thanks,
Christopher

0 Karma
Reply

janderson19
Path Finder
‎06-22-2016 10:31 AM

Go through the files and see if your logs are in the files they were originally indexed to. If not, I believe there are ways of getting forwarders to reindex, but I'm not well versed in that.

0 Karma
Reply

cstute
New Member
‎06-22-2016 02:59 PM

Thanks janderson19. It is not looking good for me. I just knew that I couldn't get the service started, I was getting desperate, Repair install wasn't working, reboot wasn't working, removing the config file that I originally altered in hopes that it would create a new working one, didn't work.

My hope was that I could just uninstall and reinstall, and my stuff would be there still. It boggles my mind how it could destroy all my logs without so much as a prompt beforehand, to let me know it was about to get rid of/overwrite all my stuff.

It's my own fault, but I really assumed there would be a prompt to let me know, since this program deals in very important data.

Does anyone have any suggestion on how I might recover these logs, or encountered a similar situation?

Thank you for your time.

0 Karma
Reply

janderson19
Path Finder
‎06-22-2016 04:28 PM

For future reference, to upgrade Splunk, you just install the new version on top of the old, and it keeps all data and configurations.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...