Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

restore and search old data on a standalone Splunk instance?

vikas_gopal
Builder
‎09-06-2023 07:56 AM

Hello Experts,

We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some searches . 

Highlights 

--> old backup has primary and replication buckets as it was cluster backup.

--> we are planning to setup a test machine(indexer/search head) for the above and ask storage team to mount (~450TB (primary and secondary ) buckets).

Do you think it is a right approach ? is there anything that we need to consider before we ask a test machine (8GB RAM , 4 CPU) and storage team to mount 450TB(backup) to this test machine . 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-07-2023 01:07 AM
Hi
Is the "old data" just on disk and left back when you start to use a new servers or is it frozen data?
r. Ismo
0 Karma
Reply

vikas_gopal
Builder
‎09-07-2023 07:22 AM

it is just old data ,  Both setups were running in parallel for like a month or so, once all the log sources shifted successfully to new setup we stopped using old setup . I am sure mostly the data will be in warm and cold bucket as when we stop/restart old splunk buckets should have moved to warm .   

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 11:55 PM

Hi @vikas_gopal,

at first the configuration you defined isn't recommended by Splunk, but its isn't a production system, so it could go.

About the idea to have a stand alone server containing the old data (that are in an Indexer Cluster), you could use one of the Cluster search peers disconnecting it from the old cluster, you have to put attention to the steps to follow:

  • disconnect from the cluster one by one all the indexers, in this way on the last remaining Indexer you'll have a copy of all the data,
  • then you can disconnect also it from the cluster.

It isn't an usual procedure and I'm not sure that it was tested, but it should work.

Ciao.

Giuseppe

0 Karma
Reply

vikas_gopal
Builder
‎09-07-2023 07:24 AM

Thank you , 

This is a very good suggestion but unfortunately all old server are decommissioned. We only have data backup in buckets form . I am pretty sure they are warm and cold . Hence it is decided to have a standalone and mount the data backup storage and start searching it . 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-07-2023 07:27 AM

Hi @vikas_gopal,

the main problem is that probably you have the backup in clustered format: I'm not sure that it's possible to restore it without a cluster!

Let me know if I can help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appeciated 😉

0 Karma
Reply

vikas_gopal
Builder
‎09-07-2023 07:50 AM

yeah thank you in advance 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...