Getting Data In

How to restore frozen archived data, multiple buckets, months of data?

Glasses
Builder

I was recently asked to restore a couple months of data.

After reading>>> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Restorearchiveddata
I don't see a way to restore Jul 1 2019 to Sep 1 2019...
Does anyone have a reliable script or process to do this?

0 Karma
1 Solution

ivanreis
Builder

Before you restore frozen buckets, you have to make sure the buckets retirement police was previously setup.
Further information -> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Setaretirementandarchivingpolicy
If you did not previously setup it, there is no way to restore the frozen data.
If the retirement police is properly setup, the procedure to restore frozen Bucket is:

Restoring a Frozen Bucket
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk
- Data in thaweddb is searchable along with other data, is not frozen, and does not count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

I don't have any script to run the recovery process.

View solution in original post

0 Karma

ivanreis
Builder

Before you restore frozen buckets, you have to make sure the buckets retirement police was previously setup.
Further information -> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Setaretirementandarchivingpolicy
If you did not previously setup it, there is no way to restore the frozen data.
If the retirement police is properly setup, the procedure to restore frozen Bucket is:

Restoring a Frozen Bucket
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk
- Data in thaweddb is searchable along with other data, is not frozen, and does not count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

I don't have any script to run the recovery process.

0 Karma

ivanreis
Builder

when I typed the response was missing this part, here is the procedure
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild path to bucket directory
Also works to recover a corrupted directory
Does not count against license
– Start Splunk
Data in thaweddb is searchable along with other data, is not frozen, and does not
count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

0 Karma

Glasses
Builder

thanks, I have 1TB and months of buckets to cp and rebuild.
I found a script and going to try to use it on a non-prod standalone indexer, which I will make a peer later.
If you have any other advice it will be much appreciated.
Thanks

0 Karma

wonda
Loves-to-Learn Lots

Hi,

 

Can anybody help me to share if there is a script to restore months of frozen buckets that have been dumped to one frozen directory instead of the respective directory by index  . Due to some config issue ,  the coldtofrozendir file path was set up without the index name in the path instead a token was used ($_index_name ) hence splunk dumped all the frozen buckets into one directory ($_index_name ) and now i need to come up with a way to move the buckets in the frozendb to their respective frozendb . 

 

Thank you

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...