Splunk Search
Highlighted

After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

Communicator

Splunk Instance running on Linux

I recently restored frozen buckets to my thawed bucket as follows:

cp -r * /opt/splunk/var/lib/splunk/web_logging/thaweddb/
then run the command splunk rebuild

I'm able to view the thawed data on a search with the Index, host & source. BUT when I try to do a search on a particular field pair or just a line, the search comes up empty...it's like it's not indexed??

Has anyone restored data and able to search on specific fields?

Highlighted

Re: After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

Splunk Employee
Splunk Employee

This is a known issue resolved in 6.2.1, SPL-94063. If you upgrade, it should resolve the issue once you run a rebuild on the data again.

View solution in original post

Highlighted

Re: After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

Communicator

Thanks for the info!

0 Karma
Highlighted

Re: After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

Communicator

We just restored a bucket on 6.2.1 and we cannot find data for the time specified.
PWD is /opt/splunk/var/lib/splunk/wineventlog/thaweddb/
CLI executed was /opt/splunk/bin/splunk rebuild db14292956811427997060_10

it executed with warning messages but completed.
/opt/splunk/bin/splunk rebuild db14292956811427997060_10
USAGE: splunk rebuild [] [--no-log]
The parameter is ignored if provided.
Please see 'splunk fsck' for more options. This command is just a wrapper for 'splunk fsck'.

Redirecting to 'splunkd fsck' with args:
repair --one-bucket --include-hots --bucket-path=db1429295681142799706010 --log-to--splunkd-log
WARN Fsck - Not loading indexes.conf; will proceed with all defaults
INFO Fsck - (entire bucket) Rebuild for bucket='/opt/splunk/var/lib/splunk/wineventlog/thaweddb/db
1429295681142799706010' took 517.4 seconds

When it was done we restarted the indexer and searched for the desired time period. No data found.

0 Karma
Highlighted

Re: After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

Communicator

Nevermind, the data did restore but i was looking at the wrong time range.

0 Karma
Highlighted

Re: After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

Engager

SPL-94063 really needs to be publicly documented....

Highlighted

Re: After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

Champion

Thank you for asking this question, dperry, and for providing a descriptive question which allowed me to track down the same issue quickly.