Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Old data cannot load

Eshmin
Observer
‎01-06-2022 09:43 PM

Splunk can not load old data only load current data. Though it shows event count. Before that I have moved some splunk cold db folder  in several times to free up space . and it worked fine. I dont understand what happend now. Is there any way to recover data without splunk search? Installed in windows.

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 11:28 PM

Sorry for my little knowledge about it. Is there any way to get expert help for data recovery Live chat or whatsApp number? Actually I have urgency to recover last month specific data.

without search is there any way to load file in CSV format? coz it shows event count 😞

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 10:51 PM

Anyone there help me to recover data? I am willing to pay.

0 Karma
Reply

SinghK
Builder
‎01-06-2022 10:57 PM

Did you manually move tsidx files??

 

0 Karma
Reply

Eshmin
Observer
‎01-06-2022 11:02 PM

I have move folder from cold db. like the folders which was generated September month. and yes its contain tsidx file.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-07-2022 06:00 AM

Disclaimer: I haven't try this with myself, so you no warranty are given and you are doing this with your own risk!

If I understood right you are moving some cold data, not frozen data? I suppose that you have only one instance as all-in-one setup (indexer, search head at the same node). If it's this way then basically you should restore the situation by

  1. Stop splunk
  2. Take backup of your DB_HOME 
  3. Add need space for that old data under DB_HOME
  4. Move/copy old data to it's original place
  5. Start splunk

Another option could be that you manage it as thawed data and restore it to thaweddb directory for that index.  Basically there shouldn't be need to rebuild that dir as you have moved those files without removing metadata from it. Anyhow You should stop your splunk instance and do actions when it's down. 

When you are starting it look what kind of errors you will gotten to splunkd.log. Especially if it cannot start.

r. Ismo

0 Karma
Reply

SinghK
Builder
‎01-06-2022 11:19 PM

https://community.splunk.com/t5/Monitoring-Splunk/Restore-archived-data/m-p/76301

 

if this does not help open case with support.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...