Installation

How can I restore data from a crashed installation

jezh
Engager

Our splunk server has 2 windows partitions, one for the OS and Splunk, the other for the splunk data.

For reasons I shall not go into it has been necessary to trash the OS partition and rebuild it from scratch.

I still have the splunk data on the data partition (and a tape backup). The server was shutdown cleanly prior to the OS partition being trashed.

My plan is to reinstall the OS (currently underway) and then install Splunk. I will then need to import/restore the data some how but I am not sure how to go about this.

Can anyone help?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

View solution in original post

lguinn2
Legend

If all the data is there and intact, you should be able to

  • Reinstall Splunk
  • Restore the Splunk etc directory from a recent backup
  • Start Splunk

In addition to making sure that your indexed info is all there, this will also restore your licenses, your users' saved searches, etc. etc.

This is not the only way to get service restored, but it is the easiest way that I know. If you can't restore the Splunk etc directory, then you will need to reconstruct the configuration files; this would be a PITA. The data is described in indexes.conf - but that is only part of what you really need.

It's great that your data partition survived intact.

Post back if you need more help.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...