Restore archived data

Archived data can be restored by moving the archive into the thawed directory, /var/lib/splunk/defaultdb/thaweddb. An archive can be restored to any Splunk server regardless of platform. Data in thaweddb is not subject to the server's index aging scheme (hot > warm> cold > frozen). You can put old archived data in thawed for as long as you need. When the data is no longer needed, simply delete it or move it out of thawed.

The details of how to restore archived data depends on how it was archived.

Note: you can restore archived data to any index or instance of Splunk. Archived data does not need to be restored to its pre-archival location.

Restore with resurrect

The resurrect command can be used from Splunk's CLI to selectively restore events from an archive. You specify the archive location, the index to hold the restored events, and the time range for the restore.

Syntax of the command is:

resurrect archive_directory index from_time end_time

Note: It is not necessary to stop and start the server when adding or removing from thaweddb.

To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.

For example:

./splunk resurrect /tmp/myarchive oldstuff  01/01/2000:00:00:00 01/01/2001:00:00:00

This command will restore the events from the year 2000 that are found in the archive in /tmp/myarchive. The events will be placed in the oldstuff index. If you archived with compressed indexes, Splunk will uncompress them. If you archived without indexes, Splunk will rebuild the indexes.

When you are through using the archived data, you can remove it with unresurrect. Unresurrect can also be used to remove some events from a restored archive. For example:

./splunk unresurrect oldstuff 07/01/2000:00:00:00 08/01/2000:00:00:00

Will remove events from the month of July from the index oldstuff.

Restore a copied index archive

You can also copy or move in a previously saved archive to thawed. Use cp if you want to move the entire db file instead of specifying the time and index.

# cp -r db_1181756465_1162600547_0  $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb

Previous: Automate archiving | Next: Back up your data

Comments

@vly: if you copy an archive to the thawed directory, it will be restored to the index to which the thawed directory belongs. can you be more specific about what you mean by 'compressed'?
Posted by rachel on Oct 22 2008, 4:09pm
2 qestions:

- When restoring an archive via the thawed directory, which index is used?
- Can compressed archives be restored via the thawed directory?
Posted by vly on Oct 21 2008, 10:45am
@ harithandi:

the best place to start is to read the user manual, located here:

http://www.splunk.com/doc/latest/user/WhatsInThisUserGuide

this contains a tutorial and basic instructions for anything you might want to configure.
Posted by emma on Sep 12 2008, 4:04pm
Sir,
I have installed splunk>Documentation:3.3.1 , and confused with configuration. Please advise as to what shall I do next?
Posted by harithandi on Sep 04 2008, 3:52am
Sir,
I have installed splunk>Documentation:3.3.1 , and confused with configuration. Please advise as to what shall I do next?
Posted by harithandi on Sep 04 2008, 3:52am
MichaelE: it does not. your license is checked when the data is indexed the first time.
Posted by rachel on Jul 01 2008, 11:24am
Does restoring archived data count against the daily index total on the license?
Posted by MichaelE on Jul 01 2008, 11:09am