- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: After reinstalling Splunk without backing anyt...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After reinstalling Splunk without backing anything up, is there a way to recover my indexed logs?
Hello,
I was having an issue with Splunk where I made one small change to a config file to disable weak cipher suites, and after the change, I couldn't access the web interface, and couldn't start/restart the splunkd service, even after changing the config back to how it originally was. Without a thought in my head, I uninstalled Splunk, rebooted, and reinstalled Splunk.
After doing so, Splunk was running as if it were a brand new install, and none of my logs are there anymore.
Is there any possible way to recover my logs now that I have screwed everything up?
Thanks,
Christopher
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go through the files and see if your logs are in the files they were originally indexed to. If not, I believe there are ways of getting forwarders to reindex, but I'm not well versed in that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks janderson19. It is not looking good for me. I just knew that I couldn't get the service started, I was getting desperate, Repair install wasn't working, reboot wasn't working, removing the config file that I originally altered in hopes that it would create a new working one, didn't work.
My hope was that I could just uninstall and reinstall, and my stuff would be there still. It boggles my mind how it could destroy all my logs without so much as a prompt beforehand, to let me know it was about to get rid of/overwrite all my stuff.
It's my own fault, but I really assumed there would be a prompt to let me know, since this program deals in very important data.
Does anyone have any suggestion on how I might recover these logs, or encountered a similar situation?
Thank you for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For future reference, to upgrade Splunk, you just install the new version on top of the old, and it keeps all data and configurations.
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
