Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Moving data from stash back to an index?

claudiaG
Engager
‎03-02-2023 04:36 AM

Hello all,

following use case:

We wanted to create a backup of some json data. For this we created a new index called  "xyz_backup" and moved all data from the original index to it. By doing that the sourcetype was set to "stash" in the backup index.

Now we want to move the data from the "xyz_backup" index back to the original index. But the sourcetype should be json again and also the field extraction should be back.

By running following command the only thing that happens is that the sourcetype gets set to "json" but the data itself is still not in the right json format (field extractions not working etc.).:

index=xyz_backup
| collect index=original sourcetype=_json

How can we get the data back into its original format (json)?

The original data is still available and could maybe be "read-in" again by resetting the fishbucket but the bad thing is its only possible for individual files right? not for a complete folder? because we have over 100files...

 

Thanks in advance for your help or a quick tip.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-02-2023 04:50 AM

I'd suggest going over your source files with a script and resetting fishbucket for those entries to reingest them again.

1. Depending on what you did in your summary-creating search, the stash events contents are simply no longer the same as the original events and short of doing some strange magic to "untangle" it (and for this you have to know exactly what the search did and how it transformed the events) you can't "recreate" the original events. (compare it to making photos of postcards - if you only did photos of the postcard picture, you have no way of knowing what was written on the back).

2. Even if you put in the effort and were able to re-make your jsons, collecting them with any other sourcetype than stash would incure license usage anyway.

So probably the easiest way is to reingest the events from the source.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-02-2023 04:50 AM

I'd suggest going over your source files with a script and resetting fishbucket for those entries to reingest them again.

1. Depending on what you did in your summary-creating search, the stash events contents are simply no longer the same as the original events and short of doing some strange magic to "untangle" it (and for this you have to know exactly what the search did and how it transformed the events) you can't "recreate" the original events. (compare it to making photos of postcards - if you only did photos of the postcard picture, you have no way of knowing what was written on the back).

2. Even if you put in the effort and were able to re-make your jsons, collecting them with any other sourcetype than stash would incure license usage anyway.

So probably the easiest way is to reingest the events from the source.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...