Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to thaw multiple DB within the Frozen bucket?

dperry
Communicator
‎03-16-2015 03:05 PM

I have seen a question regarding this, but doesn't seem to explain much.....I'm looking to move multiple db_* to the thaweddb..I move the data like so: 

cp -r db_140* $SPLUNK_DB/web_logging/thaweddb/

My question...what command can I do so that I can rebuild all the content in this folder, thaweddb? The time it takes to rebuild one db_* at a time is forever.....My Indexer is running on Linux.

index=web_logging
$SPLUNK_DB/web_logging/thaweddb
$SPLUNK_DB/web_logging/frozendb

0 Karma
Reply

jjozwik702
Explorer
‎08-30-2017 09:50 AM

Does restoring count against your daily index limit?

0 Karma
Reply

fernanlee
Path Finder
‎11-11-2019 03:29 PM

No, because that data was indexed before and you paid for that "index process". Don't worry about that.

0 Karma
Reply

sherm77
Path Finder
‎04-04-2018 06:57 AM

Verify this with your Splunk account manager, but in my experience & training, previously indexed data does not have a license cost to it no matter how you move it around or rebuild from frozen to thawed. Now, if you manipulate the data and reindex it, then you'll have a cost since you are materially changing the indexed data.

0 Karma
Reply

dperry
Communicator
‎03-17-2015 07:47 AM

So I ran the above command to rebuild the multiple db's within the Thawed bucket, took about 9 hours to complete. I suppose this is the only solution if you need to restore allot of data.

Reply

rajanala
Path Finder
‎06-24-2015 11:30 AM

If possible, please provide an estimated GB of the 400 buckets.
9 hours = 400 buckets = ? GB

Thank you.

Reply

qtopia7100
Explorer
‎07-21-2017 06:48 AM

I'd like to know time and size as well

Reply

dperry
Communicator
‎03-16-2015 03:35 PM

Is there a faster way of rebuilding the buckets? I can run the following command:

cd /opt/splunk/var/lib/splunk/web_logging/thaweddb ; ls | xargs -i /opt/splunk/bin/splunk rebuild {}

But I have over 400 buckets I need to rebuild??!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...