Solved: How to restore frozen archived data, multiple buck...

Glasses · ‎10-28-2019

I was recently asked to restore a couple months of data.

After reading>>> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Restorearchiveddata
I don't see a way to restore Jul 1 2019 to Sep 1 2019...
Does anyone have a reliable script or process to do this?

ivanreis · ‎10-28-2019

Before you restore frozen buckets, you have to make sure the buckets retirement police was previously setup.
Further information -> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Setaretirementandarchivingpolicy
If you did not previously setup it, there is no way to restore the frozen data.
If the retirement police is properly setup, the procedure to restore frozen Bucket is:

Restoring a Frozen Bucket
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk
- Data in thaweddb is searchable along with other data, is not frozen, and does not count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

I don't have any script to run the recovery process.

View solution in original post

ivanreis · ‎10-28-2019

Before you restore frozen buckets, you have to make sure the buckets retirement police was previously setup.
Further information -> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Setaretirementandarchivingpolicy
If you did not previously setup it, there is no way to restore the frozen data.
If the retirement police is properly setup, the procedure to restore frozen Bucket is:

Restoring a Frozen Bucket
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk
- Data in thaweddb is searchable along with other data, is not frozen, and does not count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

I don't have any script to run the recovery process.

ivanreis · ‎10-28-2019

when I typed the response was missing this part, here is the procedure
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild path to bucket directory
Also works to recover a corrupted directory
Does not count against license
– Start Splunk
Data in thaweddb is searchable along with other data, is not frozen, and does not
count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

Glasses · ‎10-29-2019

thanks, I have 1TB and months of buckets to cp and rebuild.
I found a script and going to try to use it on a non-prod standalone indexer, which I will make a peer later.
If you have any other advice it will be much appreciated.
Thanks

wonda · ‎08-02-2021

Hi,

Can anybody help me to share if there is a script to restore months of frozen buckets that have been dumped to one frozen directory instead of the respective directory by index . Due to some config issue , the coldtofrozendir file path was set up without the index name in the path instead a token was used ($_index_name ) hence splunk dumped all the frozen buckets into one directory ($_index_name ) and now i need to come up with a way to move the buckets in the frozendb to their respective frozendb .

Thank you

How to restore frozen archived data, multiple buckets, months of data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation