Reporting
Highlighted

After using exporttool and importtool to copy buckets from one environment to another, why is the imported data not searchable?

Communicator

I am attempting to use the importtool and exporttool to copy data from one environment to another. After the import the data doesn't seem to have shown up in the index. I attempted run the import command a second time, and got the following error:

"Please ensure that you are importing to a new bucket, as opposed to an existing one"

The command I am using is:

/splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db ~/export1.csv

I'm confused and not sure where to look. After running this the first time it told me several thousand events had been imported. Yet they do not show up in splunk when running query "index=myindex".

Any help appreciated.

0 Karma
Highlighted

Re: After using exporttool and importtool to copy buckets from one environment to another, why is the imported data not searchable?

Builder

Have you seen http://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html ? It based on the output you received it sounds like it worked the first time. Have you restarted Splunk since running it?

0 Karma
Highlighted

Re: After using exporttool and importtool to copy buckets from one environment to another, why is the imported data not searchable?

Communicator

This article is exactly what I used as a reference. Yes, I did restart Splunk.

Highlighted

Re: After using exporttool and importtool to copy buckets from one environment to another, why is the imported data not searchable?

Contributor

Hi,

you need to create and add the new bucket name - meaning:

 /splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db/db_X_Y_0 ~/export1.csv -csv

will do the job.. otherwise the rawdata and tsidx file will be created in db dir instead of dbXY_0

Regards,

Andreas

0 Karma