I am using splunk enterprise 7.0.1 and I have installed it on my C drive.I have archived my logs on following location D:\archive.I have perform following steps to restore my logs but unable to to so.
1)I have run Following command( C:>xcopy D:\archive\db_1513683972_1613682334_0 %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\/s /e /v) which makes folder named %SPLUNK_HOME% on C drive contaning journal zip file.
2)After that I have run this command( C:\Program Files\Splunk\bin>splunk rebuild %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\db_1513683972_1613682334_0) that was successfully executed.
3)Then i have run this command by modifiying zero at the end to 1001 as studied somewhere to give it unique bucket id.(C:\%SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb>move db_1513683972_1613682334_0 db_1513683972_1613682334_1001)
Please help where i am wrong.I am stuck here from many days but unable to restore logs.
You can refer the following doc:
You don't need to change the unique id and you need to restart splunk service after restoring data in thawed path.
Let me know if this helps!!
Thanks for answer!!
I just try another method.
1)I directly copied one of my archive db folder directly to thaweddb.
2)After that I run the splunkrebuild command as shown below.
C:>splunk rebuild programfiles\splunk\var\lib\splunk\defaultdb\thaweddb\db_1513910393_1513952434_5
3)But still i was unable to search the logs.
Thanks for answer!
Yes i have restarted service after this and still not success.
One thing i was confused was that after copying my archive db folder in to thawed db residing under var/lib/splunk/defualtdb and then running splunk rebuild command on that db folder under thawed db,how can my archive logs will link to my hot folder of specific index so that it will be serachable again.
I think the problem is your data is restored in main index, if you want to add it in particular index your path should be this:
This should work!!
For confirmation check index=main your data should be available there.