Cannot restored the archived data

gchauhan · ‎08-07-2021

Hello All,

I have 3 indexer in cluster and data is being stored in the NAS server. and for one server data is stored in cold logs on a mounted storage.

I have copied the data from NAS to 2 server , the one with mounted point is giving me a duplicate error and I am not able to see data copied in the /opt/splunk/var/lib/splunk/accessdb/thaweddb/ is marked as diabled due to conflict.

I have tried multiple commands to rebuild the Splunk db in all the indexers. and I am getting error as attached screenshots

@ivanreis @lmyrefelt @kmorris_splunk @Masa @jkat54 @493669 @mayurr98

493669 · ‎08-13-2021

@gchauhan ,

haw a 4.2+ archive *nix users

Here is an example of safely restoring a 4.2+ archive bucket to thawed:

1. Copy your archive bucket into the thawed directory:

cp -r db_1181756465_1162600547_1001 $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb

Note: The bucket id cannot conflict with any other bucket in the index. This example assumes that the bucket id '1001' is unique for the index. If it isn't, choose some other, non-conflicting bucket ID.

2. Execute the splunk rebuild command on the archive bucket to rebuild the indexes and associated files:

splunk rebuild $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/db_1181756465_1162600547_1001

3. Restart the indexer:

splunk restart

Refer- https://docs.splunk.com/Documentation/Splunk/8.1.0/Indexer/Restorearchiveddata

isoutamo · ‎08-07-2021

Hi
Please try just to use access not index=access when you are restoring the bucket.
r. Ismo

Cannot restored the archived data

CLI

indexer

Linux

other

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users