Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After reinstalling Splunk without backing anything up, is there a way to recover my indexed logs?

cstute
New Member
‎06-22-2016 10:13 AM

Hello,

I was having an issue with Splunk where I made one small change to a config file to disable weak cipher suites, and after the change, I couldn't access the web interface, and couldn't start/restart the splunkd service, even after changing the config back to how it originally was. Without a thought in my head, I uninstalled Splunk, rebooted, and reinstalled Splunk.

After doing so, Splunk was running as if it were a brand new install, and none of my logs are there anymore.

Is there any possible way to recover my logs now that I have screwed everything up?

Thanks,
Christopher

0 Karma
Reply

janderson19
Path Finder
‎06-22-2016 10:31 AM

Go through the files and see if your logs are in the files they were originally indexed to. If not, I believe there are ways of getting forwarders to reindex, but I'm not well versed in that.

0 Karma
Reply

cstute
New Member
‎06-22-2016 02:59 PM

Thanks janderson19. It is not looking good for me. I just knew that I couldn't get the service started, I was getting desperate, Repair install wasn't working, reboot wasn't working, removing the config file that I originally altered in hopes that it would create a new working one, didn't work.

My hope was that I could just uninstall and reinstall, and my stuff would be there still. It boggles my mind how it could destroy all my logs without so much as a prompt beforehand, to let me know it was about to get rid of/overwrite all my stuff.

It's my own fault, but I really assumed there would be a prompt to let me know, since this program deals in very important data.

Does anyone have any suggestion on how I might recover these logs, or encountered a similar situation?

Thank you for your time.

0 Karma
Reply

janderson19
Path Finder
‎06-22-2016 04:28 PM

For future reference, to upgrade Splunk, you just install the new version on top of the old, and it keeps all data and configurations.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...