Re: Restore archived data

ssingh5 · ‎02-22-2012

Hi,

I could not able to Restore archived data and could not able to make it searchable even after following

Restore archived data instractions in Splunk Admin Manual. Can any one please help on this.

arber · ‎04-21-2016

Try this script and that should work fine https://github.com/tuwid/splunk_frozen_db_restore
as follows:

root@XXXXXX:~# python splunk_frozen_db_restore.py
We're using the default index path, for custom indexes please adjust the path variable here
Enter index:winevents_security
Enter start date: (eg 30.12.2015): 31.12.2015
Enter end date: (eg 30.12.2015): 01.01.2016
[+] Searching dates on index winevents_security
in /opt/splunk/var/lib/splunk/winevents_security/frozendb/
1451516400
1451602800
Got 313 elements from /opt/splunk/var/lib/splunk/winevents_security/frozendb/
Found : db_1452350660_1451453107_329
[+] Copying databases into thaweddb..
cp -R /opt/splunk/var/lib/splunk/winevents_security/frozendb/db_1452350660_1451453107_329 /opt/splunk/var/lib/splunk/winevents_security/thaweddb/
[+] Rebuilding DBs
splunkd fsck repair --one-bucket --include-hots --bucket-path=/opt/splunk/var/lib/splunk/winevents_security/thaweddb/db_1452350660_1451453107_329 --log-to--splunkd-log
root@XXXXXX:~#

nutjy · ‎02-24-2012

I tried this method many times, but can not search event Jan2011 -July 2011.
(the strange was it can search 2010 data) What's wrong ?
my index.conf was set as

[juniper]
coldToFrozenScript = /opt/splunk/bin/compressedExport.sh
homePath = /data/splunk/juniper/db
coldPath = /data/splunk/juniper/colddb
thawedPath = /data/splunk/juniper/thaweddb
frozenTimePeriodInSecs = 31536000

ssingh5 · ‎02-23-2012

I have archived logs of one of my index named OS the index structure is as followed. I have followed the following steps to restore archived logs back to the Thaweddb bucket in os index but still icould not able to search those logs in that time fram.

Index:

[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

Recovery Steps followed:

Copy your archive bucket to a temporary location in the thawed directory:
cp -r db_1181756465_1162600547_0 $SPLUNK_HOME/var/lib/splunk/os/thaweddb/temp_db_1181756465_1162600547_0

Execute the rebuild command on the temporary bucket to rebuild the Splunk indexes and associated files:
splunk rebuild $SPLUNK_HOME/var/lib/splunk/os/thaweddb/temp_db_1181756465_1162600547_0

Rename the temporary bucket to something that Splunk will recognize:
cd $SPLUNK_HOME/var/lib/splunk/os/thaweddb/mv temp_db_1181756465_1162600547_0 db_1181756465_1162600547_1001

laurie_maginn · ‎03-04-2014

This did not work for us!!!!

austincisneros · ‎02-04-2019

https://www.conducivesi.com/splunk-archiver-video/

MarioM · ‎02-22-2012

you need to give more details on what you did...in the meanwhile a good explanation here index restoration

Restore archived data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation