Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Old data cannot load

Eshmin
Observer
‎01-06-2022 09:43 PM

Splunk can not load old data only load current data. Though it shows event count. Before that I have moved some splunk cold db folder  in several times to free up space . and it worked fine. I dont understand what happend now. Is there any way to recover data without splunk search? Installed in windows.

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 11:28 PM

Sorry for my little knowledge about it. Is there any way to get expert help for data recovery Live chat or whatsApp number? Actually I have urgency to recover last month specific data.

without search is there any way to load file in CSV format? coz it shows event count 😞

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 10:51 PM

Anyone there help me to recover data? I am willing to pay.

0 Karma
Reply

SinghK
Builder
‎01-06-2022 10:57 PM

Did you manually move tsidx files??

 

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 11:02 PM

I have move folder from cold db. like the folders which was generated September month. and yes its contain tsidx file.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-07-2022 06:00 AM

Disclaimer: I haven't try this with myself, so you no warranty are given and you are doing this with your own risk!

If I understood right you are moving some cold data, not frozen data? I suppose that you have only one instance as all-in-one setup (indexer, search head at the same node). If it's this way then basically you should restore the situation by

  1. Stop splunk
  2. Take backup of your DB_HOME 
  3. Add need space for that old data under DB_HOME
  4. Move/copy old data to it's original place
  5. Start splunk

Another option could be that you manage it as thawed data and restore it to thaweddb directory for that index.  Basically there shouldn't be need to rebuild that dir as you have moved those files without removing metadata from it. Anyhow You should stop your splunk instance and do actions when it's down. 

When you are starting it look what kind of errors you will gotten to splunkd.log. Especially if it cannot start.

r. Ismo

0 Karma
Reply

SinghK
Builder
‎01-06-2022 11:19 PM

https://community.splunk.com/t5/Monitoring-Splunk/Restore-archived-data/m-p/76301

 

if this does not help open case with support.

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...