- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: After restoring frozen buckets, why am I getti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Instance running on Linux
I recently restored frozen buckets to my thawed bucket as follows:
cp -r * /opt/splunk/var/lib/splunk/web_logging/thaweddb/
then run the command splunk rebuild
I'm able to view the thawed data on a search with the Index, host & source. BUT when I try to do a search on a particular field pair or just a line, the search comes up empty...it's like it's not indexed??
Has anyone restored data and able to search on specific fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known issue resolved in 6.2.1, SPL-94063. If you upgrade, it should resolve the issue once you run a rebuild on the data again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for asking this question, dperry, and for providing a descriptive question which allowed me to track down the same issue quickly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known issue resolved in 6.2.1, SPL-94063. If you upgrade, it should resolve the issue once you run a rebuild on the data again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPL-94063 really needs to be publicly documented....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We just restored a bucket on 6.2.1 and we cannot find data for the time specified.
PWD is /opt/splunk/var/lib/splunk/wineventlog/thaweddb/
CLI executed was /opt/splunk/bin/splunk rebuild db_1429295681_1427997060_10
it executed with warning messages but completed.
/opt/splunk/bin/splunk rebuild db_1429295681_1427997060_10
USAGE: splunk rebuild [] [--no-log]
The parameter is ignored if provided.
Please see 'splunk fsck' for more options. This command is just a wrapper for 'splunk fsck'.
Redirecting to 'splunkd fsck' with args:
repair --one-bucket --include-hots --bucket-path=db_1429295681_1427997060_10 --log-to--splunkd-log
WARN Fsck - Not loading indexes.conf; will proceed with all defaults
INFO Fsck - (entire bucket) Rebuild for bucket='/opt/splunk/var/lib/splunk/wineventlog/thaweddb/db_1429295681_1427997060_10' took 517.4 seconds
When it was done we restarted the indexer and searched for the desired time period. No data found.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind, the data did restore but i was looking at the wrong time range.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
