Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I restore data from a crashed installation

jezh
Engager
‎06-01-2012 03:21 AM

Our splunk server has 2 windows partitions, one for the OS and Splunk, the other for the splunk data.

For reasons I shall not go into it has been necessary to trash the OS partition and rebuild it from scratch.

I still have the splunk data on the data partition (and a tape backup). The server was shutdown cleanly prior to the OS partition being trashed.

My plan is to reinstall the OS (currently underway) and then install Splunk. I will then need to import/restore the data some how but I am not sure how to go about this.

Can anyone help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 06:07 AM

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 06:07 AM

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...