Splunk Search

After restoring frozen buckets, why am I getting no results when searching the thawed data for any fields other than index, host and source?

dperry
Communicator

Splunk Instance running on Linux

I recently restored frozen buckets to my thawed bucket as follows:

cp -r * /opt/splunk/var/lib/splunk/web_logging/thaweddb/
then run the command splunk rebuild

I'm able to view the thawed data on a search with the Index, host & source. BUT when I try to do a search on a particular field pair or just a line, the search comes up empty...it's like it's not indexed??

Has anyone restored data and able to search on specific fields?

1 Solution

jbsplunk
Splunk Employee
Splunk Employee

This is a known issue resolved in 6.2.1, SPL-94063. If you upgrade, it should resolve the issue once you run a rebuild on the data again.

View solution in original post

the_wolverine
Champion

Thank you for asking this question, dperry, and for providing a descriptive question which allowed me to track down the same issue quickly.

jbsplunk
Splunk Employee
Splunk Employee

This is a known issue resolved in 6.2.1, SPL-94063. If you upgrade, it should resolve the issue once you run a rebuild on the data again.

bofa
Engager

SPL-94063 really needs to be publicly documented....

dperry
Communicator

Thanks for the info!

0 Karma

MikeBertelsen
Communicator

We just restored a bucket on 6.2.1 and we cannot find data for the time specified.
PWD is /opt/splunk/var/lib/splunk/wineventlog/thaweddb/
CLI executed was /opt/splunk/bin/splunk rebuild db_1429295681_1427997060_10

it executed with warning messages but completed.
/opt/splunk/bin/splunk rebuild db_1429295681_1427997060_10
USAGE: splunk rebuild [] [--no-log]
The parameter is ignored if provided.
Please see 'splunk fsck' for more options. This command is just a wrapper for 'splunk fsck'.

Redirecting to 'splunkd fsck' with args:
repair --one-bucket --include-hots --bucket-path=db_1429295681_1427997060_10 --log-to--splunkd-log
WARN Fsck - Not loading indexes.conf; will proceed with all defaults
INFO Fsck - (entire bucket) Rebuild for bucket='/opt/splunk/var/lib/splunk/wineventlog/thaweddb/db_1429295681_1427997060_10' took 517.4 seconds

When it was done we restarted the indexer and searched for the desired time period. No data found.

0 Karma

MikeBertelsen
Communicator

Nevermind, the data did restore but i was looking at the wrong time range.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...