Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Restore archived data

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Restore archived data

Archived data can be restored by moving the archive into the thawed directory, $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb. An archive can be restored to Splunk server regardless of operating system with some restrictions -- data generated on 64bit systems is not likely to work well on 32 bit systems, while data cannot be moved from PowerPC or Sparc systems to x86 or x8-64 systems or vice versa. Data in thaweddb is not subject to the server's index aging scheme (hot > warm> cold > frozen). You can put old archived data in thawed for as long as you need. When the data is no longer needed, simply delete it or move it out of thawed.

The details of how to restore archived data depends on how it was archived.

Note: you can restore archived data to any index or instance of Splunk. Archived data does not need to be restored to its pre-archival location.

Restore with resurrect

The resurrect command can be used from Splunk's CLI to selectively restore events from an archive. You specify the archive location, the index to hold the restored events, and the time range for the restore.

Syntax of the command is: 

resurrect archive_directory index from_time end_time

Note: It is not necessary to stop and start the server when adding or removing from thaweddb.

To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command.

For example: 

./splunk resurrect /tmp/myarchive oldstuff  01/01/2000:00:00:00 01/01/2001:00:00:00

This command will restore the events from the year 2000 that are found in the archive in /tmp/myarchive. The events will be placed in the oldstuff index. If you archived with compressed indexes, Splunk will uncompress them. If you archived without indexes, Splunk will rebuild the indexes.

When you are through using the archived data, you can remove it with unresurrect. Unresurrect can also be used to remove some events from a restored archive. For example: 

./splunk unresurrect oldstuff 07/01/2000:00:00:00 08/01/2000:00:00:00

Will remove events from the month of July from the index oldstuff.


Restore a copied index archive

You can also copy or move in a previously saved archive to thawed. Use cp if you want to move the entire db file instead of specifying the time and index. 

# cp -r db_1181756465_1162600547_0  $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb
Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Admin/Restorearchiveddata"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.