How to restore the splunkdb from tape backup - Lin...

splunkvickyloui · ‎02-09-2016

Hi,

Our splunk setup stores the indexed data under /data02/tools/splunkdb/prod_vicky_app. We keep only 30 days of data in Splunk db as per below given indexes.conf. Now we have to restore some critical information from September 2015. We have those db in tape backup. We requested our server support team to restore the data under /data02/tools/backup_restore. We would like to restore them without affecting the current data and setup. That data should be able to be searched from search head. Please guide how we can achieve.

indexes.conf

[prod_vicky_app]
homePath   = $SPLUNK_DB/prod_vicky_app/db
coldPath   = $SPLUNK_DB/prod_vicky_app/colddb
thawedPath = $SPLUNK_DB/prod_vicky_app/thaweddb
maxHotIdleSecs = 172800
maxWarmDBCount = 3
frozenTimePeriodInSecs = 2592000

Thanks,
Vic

Jeremiah · ‎02-09-2016

You can restore the data just like you would restore similarly thawed data in Splunk. You can copy the data to the thawedPath on your indexer. You don't need to change the indexes.conf file, and it won't impact the rotation or retention of other data in the same index. You do need to keep an eye on your storage, as you're going to have your original data plus the thawed data to account for.

In your db restore, you're going to find a series of bucket files named something like

db_1181756465_1162600547_1001

You can copy these bucket directories to the thawedpath for your index ($SPLUNK_DB/prod_vicky_app/thaweddb). You'll need to make sure the id number (for example 1001 in the sample above) does not conflict with another bucket id in the same index. If you are restoring data back to the same indexer, you should not have that issue. If you do, you can rename the ID number to something unique.

You also need to look at what was actually backed up within the bucket directories. If you only backed up the journal.gz, then you'll need to follow the instructions at the link below on thawing a 4.2+ archive. If you took a complete backup of the bucket, then you only need to follow the pre-4.2 instructions on rebuilding the manifests.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Restorearchiveddata

This should work on a standalone indexer (or indexers) that are not clustered. If you do have clustered indexers, you should take a look at the notes from the link above.

Also keep in mind that this thawed data will never rotate off of the system; you'll need to remove it when you are finished with it.
I suggest trying to thaw a couple of buckets on a test host just to make sure you have the process down correctly and there aren't any surprises.

splunkvickyloui · ‎02-15-2016

Thanks Jeremiah. I am waiting for infrastructure team to restore those db files from tape backup. Since I have around 25 buckets to be restored, is it advisable to use the script which mentioned in the below given URL?

http://answers.splunk.com/answers/120007/thawing-out-multiple-buckets-at-once.html#answer-246439

Thanks in adavance.

Jeremiah · ‎02-16-2016

I haven't personally used the script, but it does look like others have had success with it. Also keep in mind that this script thaws the files, which you only need to do if you have a partial backup of the bucket (ie, just the journal.gz file). If you look in your restored buckets and they have tsidx files, you just need to rebuild the manifests.

How to restore the splunkdb from tape backup - Linux

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation