Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

after OS restart splunk data gone

gregwilliams
Path Finder
‎08-14-2012 08:46 AM

We upgraded from CentOS 6.2 to 6.3 last night. Upon restart the entire /opt/ directory became corrupt and ended up in /opt/lost+found/ meaning that our entire /opt/splunk/ directory is no longer there. The data is in folders like so:#39855279 #39856144 #39857009 #39857874. Even though the directory names are gibberish, the data appears to be intact. Can this be restored? Has anyone had this happen before, or am I SOL? Before the crash, I had roughly 3 months of data.

Architecture:

OS: Centos 6.3

HD: 4 600GB SAS

RAID card: Dell H700 RAID 10

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

kallu
Communicator
‎08-15-2012 01:04 AM

I'm afraid there is no generic/easy way to restore your /opt/splunk from lost+found. I would re-install Splunk and any apps you might have had and then try manually identify Splunk data files from lost+found and copy them back to their original locations. Renaming Splunk indexes back to original names can be a challenge though. This can help you finding where your indexes were before the crash. If you are lucky, files can be complete and not corrupted but running Splunk fsck will tell you more how your data is.

Alternative for recovering your data from lost+found is to give thought for how difficult it woud be to re-index (some of) the data you had in Splunk before crash?

View solution in original post

Reply
Solved! Jump to solution
Solution

kallu
Communicator
‎08-15-2012 01:04 AM

I'm afraid there is no generic/easy way to restore your /opt/splunk from lost+found. I would re-install Splunk and any apps you might have had and then try manually identify Splunk data files from lost+found and copy them back to their original locations. Renaming Splunk indexes back to original names can be a challenge though. This can help you finding where your indexes were before the crash. If you are lucky, files can be complete and not corrupted but running Splunk fsck will tell you more how your data is.

Alternative for recovering your data from lost+found is to give thought for how difficult it woud be to re-index (some of) the data you had in Splunk before crash?

Reply
Solved! Jump to solution

gregwilliams
Path Finder
‎08-15-2012 08:49 AM

Thanks kallu, that helped me think of something else to ask.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎08-15-2012 05:42 AM

A good time to restore from backups, assuming they exist...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...