Re: Merge indexes after restore fail

Greenwell01 · ‎09-27-2018

Hi,

I recently had to re-install the os of the machine where splunk enterprise is hosted, I backed up my splunk server which included the index files. When the restore was done the every thing was restored except the index files. On starting the server, this caused all the indexes to be newly created but now only containing recent data.

Now I somehome need to merge the data from the backed up index to and index of the same name on the server.

I've tried renaming the backed up index, stopping splunk, copying it the index folder and restarting splunk. Splunk however does not recognise the new index and hence I cant query it.

Any ideas?

Thanks

adonio · ‎09-27-2018

you are probably looking for thawing data or restoring data.
take a look at this link:
https://docs.splunk.com/Documentation/Splunk/7.1.3/Indexer/Restorearchiveddata
hope it helps

Merge indexes after restore fail

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation