Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best practice for restoring from archive?

the_wolverine
Champion
‎05-17-2010 08:54 PM

I have data that was archived that I want to access. How do I go about restoring my archived data so that it is searchable again?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎05-17-2010 09:12 PM

Assuming you are doing this in version 4.1, let's say you have the following archived bucket:

db_1274129994_1273525194_0

  1. Move the bucket to the designated index's thaweddb. For example, if you are restoring to the main index, move it to: $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb

Example:

# cp -r db_1274129994_1273525194_0 $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/temporary-db_1274129994_1273525194_0

  • Note that, while unlikely, make sure that there isn't a bucket naming conflict. In other words, there should be no existing bucket with the same name in that directory. If so, rename the bucket by changing the bucket id (in the example above, the bucket id is 0.)

    1. Run the following command from CLI and specify the admin username:password to force Splunk to recognize the restored data.

Example:

 # $SPLUNK_HOME/bin/splunk _internal call /data/indexes/main/rebuild-metadata-and-manifests -auth admin:changeme

View solution in original post

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎05-17-2010 09:14 PM

You can restore archived data by moving the archive into the thawed directory, $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb.

further details here:

http://www.splunk.com/base/Documentation/latest/Admin/Restorearchiveddata

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎05-17-2010 09:12 PM

Assuming you are doing this in version 4.1, let's say you have the following archived bucket:

db_1274129994_1273525194_0

  1. Move the bucket to the designated index's thaweddb. For example, if you are restoring to the main index, move it to: $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb

Example:

# cp -r db_1274129994_1273525194_0 $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/temporary-db_1274129994_1273525194_0

  • Note that, while unlikely, make sure that there isn't a bucket naming conflict. In other words, there should be no existing bucket with the same name in that directory. If so, rename the bucket by changing the bucket id (in the example above, the bucket id is 0.)

    1. Run the following command from CLI and specify the admin username:password to force Splunk to recognize the restored data.

Example:

 # $SPLUNK_HOME/bin/splunk _internal call /data/indexes/main/rebuild-metadata-and-manifests -auth admin:changeme
Reply
Solved! Jump to solution

the_wolverine
Champion
‎05-01-2012 11:29 AM

There's still a thaweddb in 4.3 so I will assume that this works the same way.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎04-26-2012 06:33 AM

how whould that work on 4.3.x... still this way or did it change and you have to put the bucket somewhere else?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...