Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to restore archived data more than 1year?

ssuluguri
Path Finder
‎03-06-2023 09:57 AM

Hi Team,

I have a data in my archive folder since 2019 for one of my index app_o365 , we need to restore the complete data from archive bucket to searchable events .

Below steps recommended but while running rebuild command how can we run the 100s of folder data in single step ? do we need to run each and every folder ? Is there a way to run splunk rebuild for all db_ directories ?

 

Restoring a Frozen BucketTo thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– – Run splunk rebuild path to bucket directory
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk

I don't have any script to run the recovery process, if any one help here is much appreciated .

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2023 10:16 AM

There is no Splunk command to rebuild multiple directories.  The solution is to script it yourself.  It's not a complicated script to iterate over directories in a particular location.

for db in /path/to/thawed/buckets; do 
  splunk rebuild "/path/to/thawed/buckets/"${db}>>rebuild.out; done

Of course, you should test it before using it on production data.

Depending on the size of the data being restored, consider standing up a standalone Splunk instance just for the thawed data.  That will avoid having to stop production indexers.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...