Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Old data cannot load

Eshmin
Observer
‎01-06-2022 09:43 PM

Splunk can not load old data only load current data. Though it shows event count. Before that I have moved some splunk cold db folder  in several times to free up space . and it worked fine. I dont understand what happend now. Is there any way to recover data without splunk search? Installed in windows.

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 11:28 PM

Sorry for my little knowledge about it. Is there any way to get expert help for data recovery Live chat or whatsApp number? Actually I have urgency to recover last month specific data.

without search is there any way to load file in CSV format? coz it shows event count 😞

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 10:51 PM

Anyone there help me to recover data? I am willing to pay.

0 Karma
Reply

SinghK
Builder
‎01-06-2022 10:57 PM

Did you manually move tsidx files??

 

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 11:02 PM

I have move folder from cold db. like the folders which was generated September month. and yes its contain tsidx file.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-07-2022 06:00 AM

Disclaimer: I haven't try this with myself, so you no warranty are given and you are doing this with your own risk!

If I understood right you are moving some cold data, not frozen data? I suppose that you have only one instance as all-in-one setup (indexer, search head at the same node). If it's this way then basically you should restore the situation by

  1. Stop splunk
  2. Take backup of your DB_HOME 
  3. Add need space for that old data under DB_HOME
  4. Move/copy old data to it's original place
  5. Start splunk

Another option could be that you manage it as thawed data and restore it to thaweddb directory for that index.  Basically there shouldn't be need to rebuild that dir as you have moved those files without removing metadata from it. Anyhow You should stop your splunk instance and do actions when it's down. 

When you are starting it look what kind of errors you will gotten to splunkd.log. Especially if it cannot start.

r. Ismo

0 Karma
Reply

SinghK
Builder
‎01-06-2022 11:19 PM

https://community.splunk.com/t5/Monitoring-Splunk/Restore-archived-data/m-p/76301

 

if this does not help open case with support.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...