Does the windows for loop rebuild concurrently or sequentially? I may consider creating a concurrent rebuild script for windows as well if yours is sequential.
Your solution for Linux is elegantly simple (that is a compliment), however I'm not sure it will work for every use case, for example the op said they had "months and months" of data to thaw out, this probably means hundreds of buckets and xarg is going to spawn a child process for every one of them, if you start all of those up at once its likely going to have the effect of slowing things down instead of speeding them up (for reasons I won't go into unless someone really wants me to elaborate). There are some arguments that you can pass to xarg to define a limit for the process pool that executes each rebuild which should improve your solution dramatically, I suggest you take a look at the following (in particular the --max-procs argument):
http://coldattic.info/shvedsky/pro/blogs/a-foo-walks-into-a-bar/posts/7
For anyone that doesn't need as an elaborate solution as I have posted below this is probably the way to go.
Example (not tested):
ls -dA $SPLUNK_HOME/var/lib/splunk/{index1,index2}/*/thaweddb/* | awk -v et={epoch-of-earliest-event-to-restore}, lt={epoch-of-latest-event-to-restore} 'BEGIN {FS = \"_\"} $2 >= et && $3 <= lt {print $1\"_\"$2\"_\"$3\"_\"$4}'" | xargs -I BUCKET --max-procs=10 sudo -H -u splunk $SPLUNK_HOME/bin/splunk rebuild BUCKET
Replace {epoch-of-earliest-event-to-restore} and {epoch-of-latest-event-to-restore} with actual epoch values in the example above or omit either earliest or latest time or both entirely (like below which only enforces the earliest time):
ls -dA $SPLUNK_HOME/var/lib/splunk/{index1,index2}/*/thaweddb/* | awk -v et={epoch-of-earliest-event-to-restore} 'BEGIN {FS = \"_\"} $2 >= et {print $1\"_\"$2\"_\"$3\"_\"$4}'" | xargs -I BUCKET --max-procs=10 sudo -H -u splunk $SPLUNK_HOME/bin/splunk rebuild BUCKET
One might also consider using something like "GNU parallel" as well.
This does not have any logging, status indicators, it does not check for tsidx files in a bucket before rebuilding (meaning if you re-run the command it will rebuild the same buckets over again), etc. so it's not perfect but should work for some.
... View more