Splunk Cloud Platform

Data restore

vishenps
Path Finder

Hi Folks,
I wanted to restore a chunk of a data (jan 2023-aug 2023) from a specific index, we do use splunk cloud and use splunk's restore services.
total size of data from jan to aug: >1700GB
our licensee : 800 GB per day
will splunk reindex those data??
should I do in chunk??
I'm aware of the limitation of 10% of total archive (I'm very new to splunk tough,So correct me.)WHAT WOULD BE WAY TO GO? 

Labels (2)
0 Karma

mattymo
Splunk Employee
Splunk Employee

"should I do in chunk"? - Yes, use the date ranges to reduce your date range and restore in multiple chunks. 

No it will not "reindex it" - https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Admin/DataArchiver#Restore_archived_data_...

You can use the "check size" button to make sure your span is under your entitlement. Remember Dynamic Data Active Archive (DDAA)  it is 10% of your Dynamic Data Active Searchable (DDAS), NOT your daily ingest entitlement. Check "cloud monitoring console> license usage > storage summary"

Span too wide! too many buckets!:

mattymo_0-1706199377306.png

shorten the span, now i can restore!:

mattymo_0-1706199687283.png

 


reduce your chunk size to under your limit, restore that data, search it, then in the table below you can clear it and restore you next chunk. 

Data quality matters here, as if your timestamps are all over the place it can be suprizing how many buckets you have to restore to bring back any give date. 

it will not take multiple days to restore this. if you just shrink your window you can do it in steps. 

restore > search (tip use collect command to help move what you want to another index) > clear restore > repeat

- MattyMo
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you use Splunk Auto Archive (DDAA) service then it will take 10 days to restore all 1.7TB of data.  Each chunk restored remains searchable for 30 days so you'll have only 20 during which the whole thing can be searched.  Restored data is treated much the same as thawed data in that it is indexed and searchable, but is not subject to the index retention time.  Splunk Cloud automatically removes the restored after 30 days.  See https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Admin/DataArchiver#Restore_archived_data_... for details.

If you use Splunk's Self Service archive (DDSS) then the data must be restored to an on-prem (or private cloud) instance much the same way you would restore frozen data in Splunk Enterprise.  There are no time limits for restored DDSS data.  See https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Admin/DataSelfStorage#Restore_indexed_dat... for more.

---
If this reply helps you, Karma would be appreciated.

PickleRick
SplunkTrust
SplunkTrust

Where did you get this 22 days value? I didn't find anything about restore rate limitation. Only that 10% of the overall storage entitlement. So if the OP has 800GB ingest subscription it includes 90 days of storage by default which translates to ability to restore up to 7.2TB of data at any given point in time if I understand it correctly.

(I'm not a Cloud expert, that's what I understand from Splunk websites so if I'm wrong feel free to correct me)

richgalloway
SplunkTrust
SplunkTrust

Yeah, I messed that up.  I took 10% of the license rather than of the stored data.  I'll fix the post.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...