Deployment Architecture

How to restore the splunkdb from tape backup - Linux

splunkvickyloui
Explorer

Hi,

Our splunk setup stores the indexed data under /data02/tools/splunkdb/prod_vicky_app. We keep only 30 days of data in Splunk db as per below given indexes.conf. Now we have to restore some critical information from September 2015. We have those db in tape backup. We requested our server support team to restore the data under /data02/tools/backup_restore. We would like to restore them without affecting the current data and setup. That data should be able to be searched from search head. Please guide how we can achieve.

indexes.conf

[prod_vicky_app]
homePath   = $SPLUNK_DB/prod_vicky_app/db
coldPath   = $SPLUNK_DB/prod_vicky_app/colddb
thawedPath = $SPLUNK_DB/prod_vicky_app/thaweddb
maxHotIdleSecs = 172800
maxWarmDBCount = 3
frozenTimePeriodInSecs = 2592000

Thanks,
Vic

0 Karma

Jeremiah
Motivator

You can restore the data just like you would restore similarly thawed data in Splunk. You can copy the data to the thawedPath on your indexer. You don't need to change the indexes.conf file, and it won't impact the rotation or retention of other data in the same index. You do need to keep an eye on your storage, as you're going to have your original data plus the thawed data to account for.

In your db restore, you're going to find a series of bucket files named something like

db_1181756465_1162600547_1001

You can copy these bucket directories to the thawedpath for your index ($SPLUNK_DB/prod_vicky_app/thaweddb). You'll need to make sure the id number (for example 1001 in the sample above) does not conflict with another bucket id in the same index. If you are restoring data back to the same indexer, you should not have that issue. If you do, you can rename the ID number to something unique.

You also need to look at what was actually backed up within the bucket directories. If you only backed up the journal.gz, then you'll need to follow the instructions at the link below on thawing a 4.2+ archive. If you took a complete backup of the bucket, then you only need to follow the pre-4.2 instructions on rebuilding the manifests.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Restorearchiveddata

This should work on a standalone indexer (or indexers) that are not clustered. If you do have clustered indexers, you should take a look at the notes from the link above.

Also keep in mind that this thawed data will never rotate off of the system; you'll need to remove it when you are finished with it.
I suggest trying to thaw a couple of buckets on a test host just to make sure you have the process down correctly and there aren't any surprises.

splunkvickyloui
Explorer

Thanks Jeremiah. I am waiting for infrastructure team to restore those db files from tape backup. Since I have around 25 buckets to be restored, is it advisable to use the script which mentioned in the below given URL?

http://answers.splunk.com/answers/120007/thawing-out-multiple-buckets-at-once.html#answer-246439

Thanks in adavance.

0 Karma

Jeremiah
Motivator

I haven't personally used the script, but it does look like others have had success with it. Also keep in mind that this script thaws the files, which you only need to do if you have a partial backup of the bucket (ie, just the journal.gz file). If you look in your restored buckets and they have tsidx files, you just need to rebuild the manifests.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...