Deployment Architecture

How to thaw multiple DB within the Frozen bucket?

dperry
Communicator

I have seen a question regarding this, but doesn't seem to explain much.....I'm looking to move multiple db_* to the thaweddb..I move the data like so:

cp -r db_140* $SPLUNK_DB/web_logging/thaweddb/

My question...what command can I do so that I can rebuild all the content in this folder, thaweddb? The time it takes to rebuild one db_* at a time is forever.....My Indexer is running on Linux.

index=web_logging
$SPLUNK_DB/web_logging/thaweddb
$SPLUNK_DB/web_logging/frozendb

0 Karma

jjozwik702
Explorer

Does restoring count against your daily index limit?

0 Karma

fernanlee
Path Finder

No, because that data was indexed before and you paid for that "index process". Don't worry about that.

0 Karma

sherm77
Path Finder

Verify this with your Splunk account manager, but in my experience & training, previously indexed data does not have a license cost to it no matter how you move it around or rebuild from frozen to thawed. Now, if you manipulate the data and reindex it, then you'll have a cost since you are materially changing the indexed data.

0 Karma

dperry
Communicator

So I ran the above command to rebuild the multiple db's within the Thawed bucket, took about 9 hours to complete. I suppose this is the only solution if you need to restore allot of data.

rajanala
Path Finder

If possible, please provide an estimated GB of the 400 buckets.
9 hours = 400 buckets = ? GB

Thank you.

qtopia7100
Explorer

I'd like to know time and size as well

dperry
Communicator

Is there a faster way of rebuilding the buckets? I can run the following command:

cd /opt/splunk/var/lib/splunk/web_logging/thaweddb ; ls | xargs -i /opt/splunk/bin/splunk rebuild {}

But I have over 400 buckets I need to rebuild??!!

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...