Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

restore and search old data on a standalone Splunk instance?

vikas_gopal
Builder
‎09-06-2023 07:56 AM

Hello Experts,

We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some searches . 

Highlights 

--> old backup has primary and replication buckets as it was cluster backup.

--> we are planning to setup a test machine(indexer/search head) for the above and ask storage team to mount (~450TB (primary and secondary ) buckets).

Do you think it is a right approach ? is there anything that we need to consider before we ask a test machine (8GB RAM , 4 CPU) and storage team to mount 450TB(backup) to this test machine . 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-07-2023 01:07 AM
Hi
Is the "old data" just on disk and left back when you start to use a new servers or is it frozen data?
r. Ismo
0 Karma
Reply

vikas_gopal
Builder
‎09-07-2023 07:22 AM

it is just old data ,  Both setups were running in parallel for like a month or so, once all the log sources shifted successfully to new setup we stopped using old setup . I am sure mostly the data will be in warm and cold bucket as when we stop/restart old splunk buckets should have moved to warm .   

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 11:55 PM

Hi @vikas_gopal,

at first the configuration you defined isn't recommended by Splunk, but its isn't a production system, so it could go.

About the idea to have a stand alone server containing the old data (that are in an Indexer Cluster), you could use one of the Cluster search peers disconnecting it from the old cluster, you have to put attention to the steps to follow:

  • disconnect from the cluster one by one all the indexers, in this way on the last remaining Indexer you'll have a copy of all the data,
  • then you can disconnect also it from the cluster.

It isn't an usual procedure and I'm not sure that it was tested, but it should work.

Ciao.

Giuseppe

0 Karma
Reply

vikas_gopal
Builder
‎09-07-2023 07:24 AM

Thank you , 

This is a very good suggestion but unfortunately all old server are decommissioned. We only have data backup in buckets form . I am pretty sure they are warm and cold . Hence it is decided to have a standalone and mount the data backup storage and start searching it . 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-07-2023 07:27 AM

Hi @vikas_gopal,

the main problem is that probably you have the backup in clustered format: I'm not sure that it's possible to restore it without a cluster!

Let me know if I can help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appeciated 😉

0 Karma
Reply

vikas_gopal
Builder
‎09-07-2023 07:50 AM

yeah thank you in advance 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...