Getting Data In

how to restore data from a frozen/archived bucket?

Explorer

i have the frozen data archived in this path" /nfs-storage/frozen_path/cisco_asa/ " and when tried to restore it in splunk again i copied the bucket from this path to the thawed path using this command:

[root@eib-siem cisco_asa]# cp -r db_1530576360_1530222901_40 /nfs-storage/thawed_path/cisco_asa/

and when tried to run the rebuild command give me the following output:
[root@eib-siem cisco_asa]# splunk rebuild /nfs-storage/thawed_path/cisco_asa/db_1530576360_1530222901_40
-bash: splunk: command not found

so i tried to run it as follow:
[root@eib-siem ~]# cd /opt/splunk/bin/
[root@eib-siem bin]# ./splunk rebuild /nfs-storage/thawed_path/cisco_asa/db_1530576360_1530222901_40
USAGE: splunk rebuild [] [--ignore-read-error] [--no-log]
Please see 'splunk fsck' for more options. This command is just a wrapper for 'splunk fsck'.

Redirecting to 'splunkd fsck' with args:
repair --one-bucket --include-hots --bucket-path=/nfs-storage/thawed_path/cisco_asa/db_1530576360_1530222901_40 --log-to--splunkd-log
ERROR ProcessTracker - (subchild_43__RollFixMetadata) IndexConfig - Asked to check if idx= is an index with a remote storage, but that index does not exist on the system or is disabled
INFO Fsck - (entire bucket) Rebuild for bucket='/nfs-storage/thawed_path/cisco_asa/db_1530576360_1530222901_40' took 149.3 seconds

can anyone help me to solve this error????!!!!....

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Explorer

I followed this document before posting this question and faced the above error, thanks for your help

0 Karma

Super Champion

Try these instruction mentioned in this post-
https://answers.splunk.com/answers/80882/corrupted-bucket-journal.html

0 Karma