Getting Data In

Importing Data From One index to my Splunk Enterprise

New Member

Hi guys,

I am trying to import data from an index provided by the instructor of a Splunk training course.

Follow the steps below:

To Import Course Example Data:

Navigate to Settings—>Indexes—>New Index
Create a new index with the desired name
Save the new index
Use file transfer program to transfer the four folders into new index folder within the Splunk OS
    *Nix: /opt/splunk/var/lib/splunk/INDEX_NAME
Search imported data by searching just this index

The file mentioned above has the four folders: colddb, datamodel_summary, db and thaweddb.

After copying all the above files, skipping copying the .bucketManifest and CreationTime files.

The next step I did was restart no splunk.

This procedure did not work. The current size of my index was 0B.

That is, it seems that my Splunk Enterprise (Indexer) did not recognize the index data copied and provided by the instructor.

What can it be?

0 Karma

Esteemed Legend

You realize that INDEX_NAME is a placeholder, right? You have to substitute INDEX_NAME text for the actual name of the index that you created from the GUI.

0 Karma

New Member

Hi @woodcock ,

My INDEX_NAME is in this path in my windows machine: C:\Program Files\Splunk\var\lib\splunk\

And this index folder is the same name that I created in my GUI Splunk Enterprise.

0 Karma

Legend

Hi ivialex,
did you created indexes.conf before restart Splunk?
the correct procedure should be:

  • create an indexes.conf or add to an existing one the information about the new index: [sample] homePath = $SPLUNKDB\sample\db coldPath = $SPLUNKDB\sample\colddb thawedPath = $SPLUNK_DB\sample\thaweddb
  • create a folder in $SPLUNKHOME/var/lib/splunk/myindex or in your $SPLUNK_DB
  • copy the four subfolders under my_index
  • give the same grants and ownership of the other indexes
  • restart Splunk

Bye.
Giuseppe

0 Karma

New Member

Hi @gcusello ,

I tried to follow your instructions as bellow:

index definitions

[pluralsightgeneratingtailoredsearchessplunk]
homePath = $SPLUNKDB\pluralsightgeneratingtailoredsearchessplunk\db
coldPath = $SPLUNK
DB\pluralsightgeneratingtailoredsearchessplunk\colddb
thawedPath = $SPLUNKDB\pluralsightgeneratingtailoredsearches_splunk\thaweddb
maxDataSize = 100

And yet, it doesn't start splunk service on my windows.

0 Karma

Legend

Hi ivialex,
you can see the value of $SPLUNKDB variable in $SPLUNKHOME\etc\splunk-launch.conf
usually is commented.
If it's commented you can replace $SPLUNKDB with $SPLUNKHOME\var\lib\splunk

Then, don'r use maxDataSize = 100 because in this way you could delete some data.

When you try to restart windows services, use the cmd window with administration grants, in this way you can see if there's any problem.

Bye.
Giuseppe

0 Karma

New Member

Hi @gcusello ,

My local indexes.conf as bellow:

[pluralsightgeneratingtailoredsearchessplunk]
homePath =
$SPLUNKDB\pluralsightgeneratingtailoredsearchessplunk\db
coldPath =
$SPLUNK
DB\pluralsightgeneratingtailoredsearchessplunk\colddb
thawedPath =
$SPLUNKDB\pluralsightgeneratingtailoredsearches_splunk\thaweddb

My splunk-launch.conf as bellow:

Version 7.3.2

Modify the following line to suit the location of your Splunk install.

If unset, Splunk will use the parent of the directory containing the splunk

CLI executable.

SPLUNK_HOME=C:\Program Files\Splunk

By default, Splunk stores its indexes under SPLUNK_HOME in the

var\lib\splunk subdirectory. This can be overridden

here:

SPLUNKDB=$SPLUNKHOME\var\lib\splunk

Splunkd service name SPLUNKSERVERNAME=Splunkd

Splunkweb service name SPLUNKWEBNAME=splunkweb

The result of the using the cmd window with administration grants as bellow:

C:\Program Files\Splunk\bin>splunk
start --accept-license

Splunk> The Notorious B.I.G. D.A.T.A.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
(skipping validation of index paths because not running as
LocalSystem)
Validated: audit _internal _introspection _telemetry _thefishbucket edurekaaccesscombinedwcookie
history main
pluralsightgeneratingtailoredsearchessplunk
summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program
Files\Splunk\splunk-7.3.2-c60db69f8e32-windows-64-manifest'
All installed files intact.
Done All preliminary checks passed.

Starting splunk server daemon
(splunkd)...

Splunkd: Starting (pid 12628)

Timed out waiting for splunkd to
start.

C:\Program Files\Splunk\bin>

And it didn't work fine. My instrutor send me the .csv file to import data. I believe that is conflict between data system because are diferrent operate system.
Then I will try to install Splunk on a Linux for example, on a virtual machine and try the same procedure to see if this problem is due to having exported the data on an operating system (Linux or Mac) and trying to import on a Windows.

0 Karma

Legend

Hi ivialex,
this means that the $SPLUNK_DB is the default one.

Please, check you indexes.conf files, probably you have your index in more than one file.

Ciao.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

Have you contacted the instructor?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Hi @richgalloway . Yes, I send an email to my instrutor. He reply my asks and I'll try his instructions.

0 Karma

Communicator

Did you make sure the files have the same permissions? For example owned by the splunk user.

0 Karma

New Member

Hi @anthonymelita . I checked and I'll try to import and start with the admin user. I create the index, after I stop my service in Windows. Then, I delete all folder inside my index. After I copy the four new folder and start the service. But, it didn't work too.

0 Karma