How to restore to 5.x from 6.0

RVDowning · ‎11-08-2013

I copied the /opt/splunk directory before upgrading to 6.0. Now I find that none of the forwarders work. They are not forwarding the transactions to 6.0. We don't have the time to send the 6.0 forwarder to the laptops to see if they will work, so we need to restore. What is the procedure? Just delete the /opt/splunk 6.0 structure and copy back the old 5.x structure to /opt/splunk?

ShaneNewman · ‎11-08-2013

That is what I did. I did have to delete a few of the index files to keep get the indexes to come back up afterwards.

ShaneNewman · ‎11-12-2013

Link to the documentation:
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Backupindexeddata

ShaneNewman · ‎11-12-2013

First you will want to roll everything from Hot to warm. Then delete the hot buckets. When you restart Splunk after the rollback, it will create new hot buckets.

This is the command for it, just replace the index name with the name of your index(es) and your username/pw.

splunk _internal call /data/indexes//roll-hot-buckets –auth :

RVDowning · ‎11-12-2013

From which bucket did you wipe out files? The hot bucket? How did you recreate those indexes?

How to restore to 5.x from 6.0

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...