Reporting

After using exporttool and importtool to copy buckets from one environment to another, why is the imported data not searchable?

timmy13
Communicator

I am attempting to use the importtool and exporttool to copy data from one environment to another. After the import the data doesn't seem to have shown up in the index. I attempted run the import command a second time, and got the following error:

"Please ensure that you are importing to a new bucket, as opposed to an existing one"

The command I am using is:

/splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db ~/export1.csv

I'm confused and not sure where to look. After running this the first time it told me several thousand events had been imported. Yet they do not show up in splunk when running query "index=myindex".

Any help appreciated.

0 Karma

schose
Builder

Hi,

you need to create and add the new bucket name - meaning:

 /splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db/db_X_Y_0 ~/export1.csv -csv

will do the job.. otherwise the rawdata and tsidx file will be created in db dir instead of db_X_Y_0

Regards,

Andreas

0 Karma

dflodstrom
Builder

Have you seen http://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html ? It based on the output you received it sounds like it worked the first time. Have you restarted Splunk since running it?

0 Karma

timmy13
Communicator

This article is exactly what I used as a reference. Yes, I did restart Splunk.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...