Hello,
I was having an issue with Splunk where I made one small change to a config file to disable weak cipher suites, and after the change, I couldn't access the web interface, and couldn't start/restart the splunkd service, even after changing the config back to how it originally was. Without a thought in my head, I uninstalled Splunk, rebooted, and reinstalled Splunk.
After doing so, Splunk was running as if it were a brand new install, and none of my logs are there anymore.
Is there any possible way to recover my logs now that I have screwed everything up?
Thanks,
Christopher
Go through the files and see if your logs are in the files they were originally indexed to. If not, I believe there are ways of getting forwarders to reindex, but I'm not well versed in that.
Thanks janderson19. It is not looking good for me. I just knew that I couldn't get the service started, I was getting desperate, Repair install wasn't working, reboot wasn't working, removing the config file that I originally altered in hopes that it would create a new working one, didn't work.
My hope was that I could just uninstall and reinstall, and my stuff would be there still. It boggles my mind how it could destroy all my logs without so much as a prompt beforehand, to let me know it was about to get rid of/overwrite all my stuff.
It's my own fault, but I really assumed there would be a prompt to let me know, since this program deals in very important data.
Does anyone have any suggestion on how I might recover these logs, or encountered a similar situation?
Thank you for your time.
For future reference, to upgrade Splunk, you just install the new version on top of the old, and it keeps all data and configurations.