Splunk Instance running on Linux
I recently restored frozen buckets to my thawed bucket as follows:
cp -r * /opt/splunk/var/lib/splunk/web_logging/thaweddb/
then run the command splunk rebuild
I'm able to view the thawed data on a search with the Index, host & source. BUT when I try to do a search on a particular field pair or just a line, the search comes up empty...it's like it's not indexed??
Has anyone restored data and able to search on specific fields?
This is a known issue resolved in 6.2.1, SPL-94063. If you upgrade, it should resolve the issue once you run a rebuild on the data again.
Thank you for asking this question, dperry, and for providing a descriptive question which allowed me to track down the same issue quickly.
This is a known issue resolved in 6.2.1, SPL-94063. If you upgrade, it should resolve the issue once you run a rebuild on the data again.
SPL-94063 really needs to be publicly documented....
Thanks for the info!
We just restored a bucket on 6.2.1 and we cannot find data for the time specified.
PWD is /opt/splunk/var/lib/splunk/wineventlog/thaweddb/
CLI executed was /opt/splunk/bin/splunk rebuild db_1429295681_1427997060_10
it executed with warning messages but completed.
/opt/splunk/bin/splunk rebuild db_1429295681_1427997060_10
USAGE: splunk rebuild [] [--no-log]
The parameter is ignored if provided.
Please see 'splunk fsck' for more options. This command is just a wrapper for 'splunk fsck'.
Redirecting to 'splunkd fsck' with args:
repair --one-bucket --include-hots --bucket-path=db_1429295681_1427997060_10 --log-to--splunkd-log
WARN Fsck - Not loading indexes.conf; will proceed with all defaults
INFO Fsck - (entire bucket) Rebuild for bucket='/opt/splunk/var/lib/splunk/wineventlog/thaweddb/db_1429295681_1427997060_10' took 517.4 seconds
When it was done we restarted the indexer and searched for the desired time period. No data found.
Nevermind, the data did restore but i was looking at the wrong time range.