Is there a way to restore archived data more than ...

ssuluguri · ‎03-06-2023

Hi Team,

I have a data in my archive folder since 2019 for one of my index app_o365 , we need to restore the complete data from archive bucket to searchable events .

Below steps recommended but while running rebuild command how can we run the 100s of folder data in single step ? do we need to run each and every folder ? Is there a way to run splunk rebuild for all db_ directories ?

Restoring a Frozen BucketTo thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– – Run splunk rebuild path to bucket directory
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk

I don't have any script to run the recovery process, if any one help here is much appreciated .

richgalloway · ‎03-06-2023

There is no Splunk command to rebuild multiple directories. The solution is to script it yourself. It's not a complicated script to iterate over directories in a particular location.

for db in /path/to/thawed/buckets; do 
  splunk rebuild "/path/to/thawed/buckets/"${db}>>rebuild.out; done

Of course, you should test it before using it on production data.

Depending on the size of the data being restored, consider standing up a standalone Splunk instance just for the thawed data. That will avoid having to stop production indexers.

---
If this reply helps you, Karma would be appreciated.

Is there a way to restore archived data more than 1year?

metadata

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!