Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I restore data from a crashed installation

jezh
Engager
‎06-01-2012 03:21 AM

Our splunk server has 2 windows partitions, one for the OS and Splunk, the other for the splunk data.

For reasons I shall not go into it has been necessary to trash the OS partition and rebuild it from scratch.

I still have the splunk data on the data partition (and a tape backup). The server was shutdown cleanly prior to the OS partition being trashed.

My plan is to reinstall the OS (currently underway) and then install Splunk. I will then need to import/restore the data some how but I am not sure how to go about this.

Can anyone help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 06:07 AM

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 06:07 AM

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...