Installation

How can I restore data from a crashed installation

jezh
Engager

Our splunk server has 2 windows partitions, one for the OS and Splunk, the other for the splunk data.

For reasons I shall not go into it has been necessary to trash the OS partition and rebuild it from scratch.

I still have the splunk data on the data partition (and a tape backup). The server was shutdown cleanly prior to the OS partition being trashed.

My plan is to reinstall the OS (currently underway) and then install Splunk. I will then need to import/restore the data some how but I am not sure how to go about this.

Can anyone help?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

View solution in original post

lguinn2
Legend

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...