Deployment Architecture

Restore procedure for warm buckets

torstefan
New Member

Hello. The documentation is a bit unclear on how to restore warm buckets that has been backed up. The procedure is the same as for frozen buckets? They are copied into the thawed directory, and then run the rebuild and restart commands ?

0 Karma
1 Solution

alemarzu
Motivator

Hi there @torstefan

The procedure is not the same, something like this should work.

  1. Stop Splunk.
  2. Move your backedup buckets (warm) to your proper homePath according to your index. Just make sure that the bucket IDs are not duplicated inside that directory. If it happens to be a duplicated ID find the oldest bucket with the same ID, and change the ID of one of them.
  3. Restart Splunk.
  4. Search your data.

Hope it helps.

View solution in original post

0 Karma

alemarzu
Motivator

Hi there @torstefan

The procedure is not the same, something like this should work.

  1. Stop Splunk.
  2. Move your backedup buckets (warm) to your proper homePath according to your index. Just make sure that the bucket IDs are not duplicated inside that directory. If it happens to be a duplicated ID find the oldest bucket with the same ID, and change the ID of one of them.
  3. Restart Splunk.
  4. Search your data.

Hope it helps.

View solution in original post

0 Karma

torstefan
New Member

Sorry , I can refrase my question.

What will happen if you copy previously warm buckets, buckets that now maybe would be cold, into the directory that has the live warm buckets? Eg. you are restoring the backup.

Will they be instantly rolled out of the warm bucket directory into the cold / frozen directory? Or if they stay, when will they be rolled out of the warm Directory into the cold/frozen?

0 Karma

alemarzu
Motivator

I don't know that how it works exactly, never payed attention to it. I believe that restored buckets will be affected by your retention policies, but it is a wild hunch.

0 Karma

gjanders
SplunkTrust
SplunkTrust

I've tested similar scenarios (not this exact one), and under circumstances where the indexer sees duplicate bucket id's it will fail to restart and throw an error.
I suspect having the same bucket id in the cold and the hot directories will trigger this scenario, but it might be worth testing if you have spare time 🙂

0 Karma

torstefan
New Member

Hi @alemarzu

Thanks for the answer.
Follow up questions

If the backed up buckets are old. I should then change the frozentimeperiodinsecs for the index I'm trying to restore?
Since I don't want the newly restored buckets to immediately be moved to cold / frozen.

Also changing the ID. I shoud change the last digit. The seq number. Maybe not so good changing the Unix time stamp? Even though by what you are saying it does not matter what the name of the bucket is?

0 Karma

alemarzu
Motivator

If the backed up buckets are old. I should then change the frozentimeperiodinsecs for the index I'm trying to restore?
I'm not sure about this but it makes sense.
Also changing the ID. I shoud change the last digit. The seq number. Maybe not so good changing the Unix time stamp? Even though by what you are saying it does not matter what the name of the bucket is?
You should change only the ID number, it goes like this db_latesttime_earliesttime_id

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!