Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data restore

vishenps
Path Finder
‎01-07-2024 09:23 AM

Hi Folks,
I wanted to restore a chunk of a data (jan 2023-aug 2023) from a specific index, we do use splunk cloud and use splunk's restore services.
total size of data from jan to aug: >1700GB
our licensee : 800 GB per day
will splunk reindex those data??
should I do in chunk??
I'm aware of the limitation of 10% of total archive (I'm very new to splunk tough,So correct me.)WHAT WOULD BE WAY TO GO? 

Labels (2)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎01-25-2024 08:18 AM

"should I do in chunk"? - Yes, use the date ranges to reduce your date range and restore in multiple chunks. 

No it will not "reindex it" - https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Admin/DataArchiver#Restore_archived_data_...

You can use the "check size" button to make sure your span is under your entitlement. Remember Dynamic Data Active Archive (DDAA)  it is 10% of your Dynamic Data Active Searchable (DDAS), NOT your daily ingest entitlement. Check "cloud monitoring console> license usage > storage summary"

Span too wide! too many buckets!:

mattymo_0-1706199377306.png

shorten the span, now i can restore!:

mattymo_0-1706199687283.png

 


reduce your chunk size to under your limit, restore that data, search it, then in the table below you can clear it and restore you next chunk. 

Data quality matters here, as if your timestamps are all over the place it can be suprizing how many buckets you have to restore to bring back any give date. 

it will not take multiple days to restore this. if you just shrink your window you can do it in steps. 

restore > search (tip use collect command to help move what you want to another index) > clear restore > repeat

- MattyMo
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2024 01:04 PM

If you use Splunk Auto Archive (DDAA) service then it will take 10 days to restore all 1.7TB of data.  Each chunk restored remains searchable for 30 days so you'll have only 20 during which the whole thing can be searched.  Restored data is treated much the same as thawed data in that it is indexed and searchable, but is not subject to the index retention time.  Splunk Cloud automatically removes the restored after 30 days.  See https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Admin/DataArchiver#Restore_archived_data_... for details.

If you use Splunk's Self Service archive (DDSS) then the data must be restored to an on-prem (or private cloud) instance much the same way you would restore frozen data in Splunk Enterprise.  There are no time limits for restored DDSS data.  See https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Admin/DataSelfStorage#Restore_indexed_dat... for more.

---
If this reply helps you, Karma would be appreciated.
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-07-2024 02:23 PM

Where did you get this 22 days value? I didn't find anything about restore rate limitation. Only that 10% of the overall storage entitlement. So if the OP has 800GB ingest subscription it includes 90 days of storage by default which translates to ability to restore up to 7.2TB of data at any given point in time if I understand it correctly.

(I'm not a Cloud expert, that's what I understand from Splunk websites so if I'm wrong feel free to correct me)

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2024 04:57 PM

Yeah, I messed that up.  I took 10% of the license rather than of the stored data.  I'll fix the post.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...