Deployment Architecture

Restore procedure for warm buckets

torstefan
Explorer

Hello. The documentation is a bit unclear on how to restore warm buckets that has been backed up. The procedure is the same as for frozen buckets? They are copied into the thawed directory, and then run the rebuild and restart commands ?

0 Karma
1 Solution

alemarzu
Motivator

Hi there @torstefan

The procedure is not the same, something like this should work.

  1. Stop Splunk.
  2. Move your backedup buckets (warm) to your proper homePath according to your index. Just make sure that the bucket IDs are not duplicated inside that directory. If it happens to be a duplicated ID find the oldest bucket with the same ID, and change the ID of one of them.
  3. Restart Splunk.
  4. Search your data.

Hope it helps.

View solution in original post

0 Karma

alemarzu
Motivator

Hi there @torstefan

The procedure is not the same, something like this should work.

  1. Stop Splunk.
  2. Move your backedup buckets (warm) to your proper homePath according to your index. Just make sure that the bucket IDs are not duplicated inside that directory. If it happens to be a duplicated ID find the oldest bucket with the same ID, and change the ID of one of them.
  3. Restart Splunk.
  4. Search your data.

Hope it helps.

0 Karma

torstefan
Explorer

Sorry , I can refrase my question.

What will happen if you copy previously warm buckets, buckets that now maybe would be cold, into the directory that has the live warm buckets? Eg. you are restoring the backup.

Will they be instantly rolled out of the warm bucket directory into the cold / frozen directory? Or if they stay, when will they be rolled out of the warm Directory into the cold/frozen?

0 Karma

alemarzu
Motivator

I don't know that how it works exactly, never payed attention to it. I believe that restored buckets will be affected by your retention policies, but it is a wild hunch.

0 Karma

gjanders
SplunkTrust
SplunkTrust

I've tested similar scenarios (not this exact one), and under circumstances where the indexer sees duplicate bucket id's it will fail to restart and throw an error.
I suspect having the same bucket id in the cold and the hot directories will trigger this scenario, but it might be worth testing if you have spare time 🙂

0 Karma

torstefan
Explorer

Hi @alemarzu

Thanks for the answer.
Follow up questions

If the backed up buckets are old. I should then change the frozentimeperiodinsecs for the index I'm trying to restore?
Since I don't want the newly restored buckets to immediately be moved to cold / frozen.

Also changing the ID. I shoud change the last digit. The seq number. Maybe not so good changing the Unix time stamp? Even though by what you are saying it does not matter what the name of the bucket is?

0 Karma

alemarzu
Motivator

If the backed up buckets are old. I should then change the frozentimeperiodinsecs for the index I'm trying to restore?
I'm not sure about this but it makes sense.
Also changing the ID. I shoud change the last digit. The seq number. Maybe not so good changing the Unix time stamp? Even though by what you are saying it does not matter what the name of the bucket is?
You should change only the ID number, it goes like this db_latesttime_earliesttime_id

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...