Documentation > Splunk > Admin Manual > Restore archived data

Admin Manual

 


How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Restore archived data

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Restore archived data

Archived data can be restored by moving the archive into the thawed directory, /var/lib/splunk/defaultdb/thaweddb. An archive can be restored to any Splunk server regardless of platform. Data in thaweddb is not subject to the server's index aging scheme (hot > warm> cold > frozen). You can put old archived data in thawed for as long as you need. When the data is no longer needed, simply delete it or move it out of thawed.


The details of how to restore archived data depends on how it was archived.


Note: you can restore archived data to any index or instance of Splunk. Archived data does not need to be restored to its pre-archival location.


Restore with resurrect

The resurrect command can be used from Splunk's CLI to selectively restore events from an archive. You specify the archive location, the index to hold the restored events, and the time range for the restore. Syntax of the command is:


resurrect archive_directory index from_time end_time

Note: It is not necessary to stop and start the server when adding or removing from thaweddb.


To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.


For example: 


./splunk resurrect /tmp/myarchive oldstuff  01/01/2000:00:00:00 01/01/2001:00:00:00

This command will restore the events from the year 2000 that are found in the archive in /tmp/myarchive. The events will be placed in index::oldstuff. If you archived with compressed indexes, Splunk will uncompress them. If you archived without indexes, Splunk will rebuild the indexes.


When you are through using the archived data, you can remove it with unresurrect. Unresurrect can also be used to remove some events from a restored archive. For example: 


./splunk unresurrect oldstuff 07/01/2000:00:00:00 08/01/2000:00:00:00

Will remove events from the month of July from the index oldstuff.


Restore a copied index archive

You can also copy or move in a previously saved archive to thawed. Use cp if you want to move the entire db file instead of specifying the time and index. 


# cp -r db_1181756465_1162600547_0  $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.4/Admin/RestoreArchivedData"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!