Restore archived indexed data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Restore archived indexed data
Restore archived data by moving the archive into the thawed directory, $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb. You can restore an archive to a Splunk server regardless of operating system with some restrictions -- data generated on 64bit systems is not likely to work well on 32 bit systems, and data cannot be moved from PowerPC or Sparc systems to x86 or x86-64 systems, and vice versa. Data in thaweddb is not subject to the server's index aging scheme (hot > warm> cold > frozen). You can put old archived data in thawed for as long as you need. When the data is no longer needed, simply delete it or move it out of thawed.
The details of how to restore archived data depends on how it was archived. You can restore archived data to any index or instance of Splunk, with the caveat that you do not introduce bucket ID conflicts to your index. Archived data does not need to be restored to its pre-archival location.
*nix users
Here is an example of safely moving a previously saved archive bucket to thawed.
1. Copy your archive bucket to the thawed directory.
# cp -r db_1181756465_1162600547_0 $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/temporary-db_1181756465_1162600547_0
Note: If the archived db was compressed, be sure to uncompress the contents in the temporary directory.
2. Rename the directory you just copied into the thawed directory to something that Splunk will recognize:
# cd $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/ # mv temporary-db_1181756465_1162600547_0 db_1181756465_1162600547_0
Note: This examples assumes that the bucket id '0' does not conflict with any other bucket in the main (defaultdb) index. If it does, you will have to move the bucket to a non-conflicting bucket ID.
3. Refresh the manifests:
# cd $SPLUNK_HOME/bin # ./splunk login # ./splunk _internal call /data/indexes/main/rebuild-metadata-and-manifests
After a few moments, the contents of your newly thawed buckets should be searchable again.
Windows users
1. Copy your archived bucket into the thawed directory.
> xcopy D:\MyArchive\db_1181756465_1162600547_0 %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\tempdb_1181756465_1162600547_0 /s /e /v
Note: If the archived db was compressed, be sure to uncompress the contents in the temporary directory.
2. Rename the directory you just copied into the thawed directory to something that Splunk will recognize:
> cd %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb > move tempdb_1181756465_1162600547_0 db_1181756465_1162600547_0
Note: This example assumes that the bucket id '0' does not conflict with any other bucket in the main (defaultdb) index. If it does, you will have to move the bucket to a non-conflicting bucket ID.
3. Then, refresh the manifests:
> cd %SPLUNK_HOME%\bin > splunk login > splunk _internal call /data/indexes/main/rebuild-metadata-and-manifests
After a few moments, the contents of your newly thawed buckets should be searchable again.
See "Archive indexed data" for information on how to archive data in the first place.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.