I am attempting to use the importtool and exporttool to copy data from one environment to another. After the import the data doesn't seem to have shown up in the index. I attempted run the import command a second time, and got the following error:
"Please ensure that you are importing to a new bucket, as opposed to an existing one"
The command I am using is:
/splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db ~/export1.csv
I'm confused and not sure where to look. After running this the first time it told me several thousand events had been imported. Yet they do not show up in splunk when running query "index=myindex".
Any help appreciated.
Have you seen http://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html ? It based on the output you received it sounds like it worked the first time. Have you restarted Splunk since running it?
This article is exactly what I used as a reference. Yes, I did restart Splunk.
you need to create and add the new bucket name - meaning:
/splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db/db_X_Y_0 ~/export1.csv -csv
will do the job.. otherwise the rawdata and tsidx file will be created in db dir instead of dbXY_0