Getting Data In

How to restore frozen archived data, multiple buckets, months of data?

Glasses
Builder

I was recently asked to restore a couple months of data.

After reading>>> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Restorearchiveddata
I don't see a way to restore Jul 1 2019 to Sep 1 2019...
Does anyone have a reliable script or process to do this?

0 Karma
1 Solution

ivanreis
Builder

Before you restore frozen buckets, you have to make sure the buckets retirement police was previously setup.
Further information -> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Setaretirementandarchivingpolicy
If you did not previously setup it, there is no way to restore the frozen data.
If the retirement police is properly setup, the procedure to restore frozen Bucket is:

Restoring a Frozen Bucket
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk
- Data in thaweddb is searchable along with other data, is not frozen, and does not count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

I don't have any script to run the recovery process.

View solution in original post

0 Karma

ivanreis
Builder

Before you restore frozen buckets, you have to make sure the buckets retirement police was previously setup.
Further information -> https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Setaretirementandarchivingpolicy
If you did not previously setup it, there is no way to restore the frozen data.
If the retirement police is properly setup, the procedure to restore frozen Bucket is:

Restoring a Frozen Bucket
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild
- Also works to recover a corrupted
- Directory Does not count against license
– Start Splunk
- Data in thaweddb is searchable along with other data, is not frozen, and does not count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

I don't have any script to run the recovery process.

0 Karma

ivanreis
Builder

when I typed the response was missing this part, here is the procedure
To thaw an archived bucket:
– Copy the bucket directory from the archive to the index's thaweddb directory
– Stop Splunk
– Run splunk rebuild path to bucket directory
Also works to recover a corrupted directory
Does not count against license
– Start Splunk
Data in thaweddb is searchable along with other data, is not frozen, and does not
count against index total size
– Delete the bucket directory when no longer needed and restart Splunk

0 Karma

Glasses
Builder

thanks, I have 1TB and months of buckets to cp and rebuild.
I found a script and going to try to use it on a non-prod standalone indexer, which I will make a peer later.
If you have any other advice it will be much appreciated.
Thanks

0 Karma

wonda
Loves-to-Learn Lots

Hi,

 

Can anybody help me to share if there is a script to restore months of frozen buckets that have been dumped to one frozen directory instead of the respective directory by index  . Due to some config issue ,  the coldtofrozendir file path was set up without the index name in the path instead a token was used ($_index_name ) hence splunk dumped all the frozen buckets into one directory ($_index_name ) and now i need to come up with a way to move the buckets in the frozendb to their respective frozendb . 

 

Thank you

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...