I am trying to import data from an index provided by the instructor of a Splunk training course.
Follow the steps below:
To Import Course Example Data: Navigate to Settings—>Indexes—>New Index Create a new index with the desired name Save the new index Use file transfer program to transfer the four folders into new index folder within the Splunk OS *Nix: /opt/splunk/var/lib/splunk/INDEX_NAME Search imported data by searching just this index
The file mentioned above has the four folders: colddb, datamodel_summary, db and thaweddb.
After copying all the above files, skipping copying the .bucketManifest and CreationTime files.
The next step I did was restart no splunk.
This procedure did not work. The current size of my index was 0B.
That is, it seems that my Splunk Enterprise (Indexer) did not recognize the index data copied and provided by the instructor.
What can it be?
Hi @woodcock ,
INDEX_NAME is in this path in my windows machine: C:\Program Files\Splunk\var\lib\splunk\
And this index folder is the same name that I created in my GUI Splunk Enterprise.
did you created indexes.conf before restart Splunk?
the correct procedure should be:
Hi @gcusello ,
I tried to follow your instructions as bellow:
homePath = $SPLUNK_DB\pluralsight_generating_tailored_searches_splunk\db
coldPath = $SPLUNK_DB\pluralsight_generating_tailored_searches_splunk\colddb
thawedPath = $SPLUNK_DB\pluralsight_generating_tailored_searches_splunk\thaweddb
maxDataSize = 100
And yet, it doesn't start splunk service on my windows.
you can see the value of $SPLUNK_DB variable in $SPLUNK_HOME\etc\splunk-launch.conf
usually is commented.
If it's commented you can replace $SPLUNK_DB with $SPLUNK_HOME\var\lib\splunk
Then, don'r use maxDataSize = 100 because in this way you could delete some data.
When you try to restart windows services, use the cmd window with administration grants, in this way you can see if there's any problem.
Hi @gcusello ,
My local indexes.conf as bellow:
My splunk-launch.conf as bellow:
Modify the following line to suit the location of your Splunk install.
If unset, Splunk will use the parent of the directory containing the splunk
By default, Splunk stores its indexes under SPLUNK_HOME in the
var\lib\splunk subdirectory. This can be overridden
Splunkd service name SPLUNK_SERVER_NAME=Splunkd
Splunkweb service name SPLUNK_WEB_NAME=splunkweb
The result of the using the cmd window with administration grants as bellow:
Splunk> The Notorious B.I.G. D.A.T.A.
Checking http port : open
Checking mgmt port : open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port : open
Checking configuration... Done.
Checking critical directories... Done
(skipping validation of index paths because not running as
Validated: _audit _internal _introspection _telemetry _thefishbucket edureka_access_combined_wcookie
Checking filesystem compatibility... Done
Checking conf files for problems...
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program
All installed files intact.
Done All preliminary checks passed.
Starting splunk server daemon
Splunkd: Starting (pid 12628)
Timed out waiting for splunkd to
And it didn't work fine. My instrutor send me the .csv file to import data. I believe that is conflict between data system because are diferrent operate system.
Then I will try to install Splunk on a Linux for example, on a virtual machine and try the same procedure to see if this problem is due to having exported the data on an operating system (Linux or Mac) and trying to import on a Windows.
Hi @anthonymelita . I checked and I'll try to import and start with the admin user. I create the index, after I stop my service in Windows. Then, I delete all folder inside my index. After I copy the four new folder and start the service. But, it didn't work too.