Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I restore data from a crashed installation

jezh
Engager
‎06-01-2012 03:21 AM

Our splunk server has 2 windows partitions, one for the OS and Splunk, the other for the splunk data.

For reasons I shall not go into it has been necessary to trash the OS partition and rebuild it from scratch.

I still have the splunk data on the data partition (and a tape backup). The server was shutdown cleanly prior to the OS partition being trashed.

My plan is to reinstall the OS (currently underway) and then install Splunk. I will then need to import/restore the data some how but I am not sure how to go about this.

Can anyone help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 06:07 AM

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 06:07 AM

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...