Re: After using exporttool and importtool to copy ...

timmy13 · ‎04-28-2015

I am attempting to use the importtool and exporttool to copy data from one environment to another. After the import the data doesn't seem to have shown up in the index. I attempted run the import command a second time, and got the following error:

"Please ensure that you are importing to a new bucket, as opposed to an existing one"

The command I am using is:

/splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db ~/export1.csv

I'm confused and not sure where to look. After running this the first time it told me several thousand events had been imported. Yet they do not show up in splunk when running query "index=myindex".

Any help appreciated.

schose · ‎11-02-2016

Hi,

you need to create and add the new bucket name - meaning:

 /splunk cmd importtool /opt/myapps/splunk/var/lib/splunk/myindex/db/db_X_Y_0 ~/export1.csv -csv

will do the job.. otherwise the rawdata and tsidx file will be created in db dir instead of db_X_Y_0

Regards,

Andreas

dflodstrom · ‎04-28-2015

Have you seen http://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html ? It based on the output you received it sounds like it worked the first time. Have you restarted Splunk since running it?

timmy13 · ‎04-28-2015

This article is exactly what I used as a reference. Yes, I did restart Splunk.

After using exporttool and importtool to copy buckets from one environment to another, why is the imported data not searchable?

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification