Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I thaw frozen buckets in a multi-site indexer cluster?

prakash007
Builder
‎03-28-2018 05:55 PM
  1. We have identified few frozen(db_*) buckets to thaw.
  2. We are a multisite indexer cluster(6.5.4), can we rebuild the buckets on one of the indexer in the cluster and restart splunkd on the indexer OR we have to do a rolling restart from Cluster Master?
  3. Can we rebuild the buckets on the test machine, and copy the rebuilt buckets to one of the indexer(thawed_dir) in the cluster?
  4. In case what if we rebuild the buckets on a test machine which is a Splunk 7.0 and copy the buckets to an indexer(v6.5.4)?

I am looking for a least disruptive process to get back the data.

0 Karma
Reply

cmeo
Contributor
‎08-21-2018 03:54 PM

Can this problem be solved using a standalone search peer which is just for this purpose? In some places I've worked putting the production cluster into maintenance mode to load old data is simply not an option.

There must be a better way. It seems needlessly restrictive and complicated to have to restore the buckets on the cluster nodes it first came from. Enhancement needed?

Reply

adonio
Ultra Champion
‎04-06-2018 07:20 AM

hello there,

please read here:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata
as for question 2, never restart a single indexer in the cluster by itself. you can go for maintenance mode, thaw the buckets to the indexer they were rolled out from - make sure GUID matches, restart that indexer and then disable maintenance mode.
read more here:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata#Clustered_data_thawi...
as for question 3, the challenge on test machine is that the buckets are marked with the indexers guid
would recommend to do the following:
find all data needed to be thawed, best would be if its all from same indexer.
place cluster in maintenance mode, thaw the data, get verify its searchable, disable maintenance mode

hope it helps

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...