- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Restore archive logs to make them searchable again
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restore archive logs to make them searchable again
HI!
I am using splunk enterprise 7.0.1 and I have installed it on my C drive.I have archived my logs on following location D:\archive.I have perform following steps to restore my logs but unable to to so.
1)I have run Following command( C:>xcopy D:\archive\db_1513683972_1613682334_0 %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\/s /e /v) which makes folder named %SPLUNK_HOME% on C drive contaning journal zip file.
2)After that I have run this command( C:\Program Files\Splunk\bin>splunk rebuild %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\db_1513683972_1613682334_0) that was successfully executed.
3)Then i have run this command by modifiying zero at the end to 1001 as studied somewhere to give it unique bucket id.(C:\%SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb>move db_1513683972_1613682334_0 db_1513683972_1613682334_1001)
Please help where i am wrong.I am stuck here from many days but unable to restore logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey aqudoos,
You can refer the following doc:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Restorearchiveddata
You don't need to change the unique id and you need to restart splunk service after restoring data in thawed path.
Let me know if this helps!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI deepashri_123
Thanks for answer!!
I just try another method.
1)I directly copied one of my archive db folder directly to thaweddb.
C:\Program Files\Splunk\var\lib\splunk\defaultdb\thaweddb\db_1513910393_1513952434_5
2)After that I run the splunkrebuild command as shown below.
C:>splunk rebuild programfiles\splunk\var\lib\splunk\defaultdb\thaweddb\db_1513910393_1513952434_5
3)But still i was unable to search the logs.
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you restart after this?
Also check for any errors in internal logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for answer!
Yes i have restarted service after this and still not success.
One thing i was confused was that after copying my archive db folder in to thawed db residing under var/lib/splunk/defualtdb and then running splunk rebuild command on that db folder under thawed db,how can my archive logs will link to my hot folder of specific index so that it will be serachable again.
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey aqudoos,
I think the problem is your data is restored in main index, if you want to add it in particular index your path should be this:
C:\Program Files\Splunk\var\lib\splunk\your_index\thaweddb\db_1513910393_1513952434_5
This should work!!
For confirmation check index=main your data should be available there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did that help?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
