I have configured Splunk buckets to archive indexed logs after 1 month. I will store the archived logs in the offsite location for 7 years. However I am not sure about 2 points about restoration steps of archived logs.
If I have to restore archive buckets of only 1 month then how to identify buckets of this time frame.
Splunk restoration steps says about restoration of archive buckets one by one. How can I restore all the buckets in one go. If anyone has developed any script, I am requesting him/her to please share the same as I am virtually handicap in coding.
root@XXXXXX:~# python splunk_frozen_db_restore.py
We're using the default index path, for custom indexes please adjust the path variable here
Enter index:winevents_security
Enter start date: (eg 30.12.2015): 31.12.2015
Enter end date: (eg 30.12.2015): 01.01.2016
[+] Searching dates on index winevents_security
in /opt/splunk/var/lib/splunk/winevents_security/frozendb/
1451516400
1451602800
Got 313 elements from /opt/splunk/var/lib/splunk/winevents_security/frozendb/
Found : db_1452350660_1451453107_329
[+] Copying databases into thaweddb..
cp -R /opt/splunk/var/lib/splunk/winevents_security/frozendb/db_1452350660_1451453107_329 /opt/splunk/var/lib/splunk/winevents_security/thaweddb/
[+] Rebuilding DBs
splunkd fsck repair --one-bucket --include-hots --bucket-path=/opt/splunk/var/lib/splunk/winevents_security/thaweddb/db_1452350660_1451453107_329 --log-to--splunkd-log
The bucket names Splunk assigns have two timestamps, giving the time range of events in the bucket. You'll need all the buckets that cover the time range you are interested in.
For restoring multiple buckets you might want to have a look at shuttl.
