Restore archived data to Splunk Cloud Platform

DDAA lets you restore indexed data from the Splunk archive. Data in DDAA can be restored to Dynamic Data Active Searchable (DDAS) to be searched. After restoring data, you can search it like any other data.

You restore data based on the time period for the data you want to search. For example, you might want to restore data for a period of one day. When you pick a date from the date-picker, DDAA treats it as 12 AM UTC of the selected date. So, if you want to restore one day's worth of archived data, (for example, on 07/10/2018) you must specify 07/10/2018 in the 'from' field and 07/11/2018 in the 'to' field.

By default, restored data is searchable for a period of one month. Splunk automatically removes the data after this period. Splunk does not remove data from the archive.

The archival process can take up to 48 hours to complete and the restoration process can take up to 24 hours to complete. Because the complete archival and restoration cycle can take up to 72 hours to complete, be sure to plan any data restoration processes accordingly.

How restoring data works

When you restore data to Splunk Cloud Platform from the archive, a copy of the archived data is moved back to the Splunk Cloud Platform environment. To ensure your data is safe, Splunk Cloud Platform never moves or deletes the original archived data. This method of temporary data restoration ensures that you can never mistakenly delete your archived data.

Note: When you restore archived data to an index in your Splunk Cloud Platform instance, it does not count against the retention periods configured for data in your index. Restored data exists outside of the constraints of retention periods and size limits and does not affect the retention of your existing index data.

When you restore data, Splunk Cloud Platform checks several conditions to ensure that you do not experience performance issues and that you do not duplicate data and cause your queries to return incorrect results:

  • Check for overlapping data. Splunk Cloud Platform does not restore data if you have already restored data in that same time range. This is to ensure you do not restore duplicate data, which would cause inaccurate search results. For example, if you specify that you want to restore data from 07/01/2018-07/03/2018, but you have already restored data from 07/01/2018-07/02/2018, Splunk Cloud Platform will prevent your data restore. In this case, it is recommended you restore the data that falls outside of the range of the data you have already restored. In this example, you would restore data from 07/03/2018-07/04/2018.
  • Check to ensure data is not likely to cause performance issues. Splunk Cloud Platform checks the size of the data you want to restore and presents you with a warning if the size of the data may cause performance issues. If the size of that data is very likely to cause performance issues, Splunk Cloud Platform will prevent you from restoring the data.

During the data restoration process, the Splunk platform retrieves all buckets that contain events necessary for the specified search period. For certain restoration scenarios, this can result in the total size of the restored data being much greater than the total number of restored events. This behavior is normal and to be expected.

After you have restored data, you may notice that events appear in your index that are older than your configured retention period specifies. This restored data will remain in your index for 30 days or until you clear it.

If your attempt to restore archived data fails, verify that the data was not recently archived. Because there is a time period during which data is being transitioned from Splunk Cloud Platform to the archive, you will not be able to restore that data during the processing period. Generally, data moved to the archive is available in approximately 48 hours.

Note: If you want to restore data archived within the last 48 hours, you must explicitly disable the default "Exclude" option for Recently Archived Data in the Restore Archive modal. When set to "Exclude", DDAA skips restoration of data archived within the last 48 hours. See Steps to restore archived data to Splunk Cloud Platform
In addition, ensure that the data is fully archived and the timestamps are correct, or data restoration will fail with the following error message: ''You cannot restore data that was archived less than 48 hours ago. Please try again later''. If you receive this message, you must set the Recently Archived Data mode to "Exclude" to proceed with data restoration. For more information, see Troubleshoot Dynamic Data Active Archive.

What happens when you are finished searching the restored data

After the data is temporarily restored to your Splunk Cloud Platform environment it is available for searching for 30 days. Restored data is a copy of the archived data so you never need to move the data back to the archive, but for best performance, you should remove the temporarily restored data when you have finished searching it.

Temporarily restored data is available only for 30 days. This 30-day time period can't be modified in any way, meaning reduced or extended. Also, this time period restriction applies to all temporarily restored data, regardless of the configuration settings for your deployment's indexers.

Steps to restore archived data to Splunk Cloud Platform

  1. In Splunk Cloud, go to Settings > Indexes.
  2. For the index where you want to restore data, click Restore. The menu displays the restore history for the specified index. You can see the history of data restoration and file size for the data restored.
  3. Use the date picker to select a time range to retrieve.
  4. Click Check size. Splunk Cloud Platform checks to see if the size of the file might impact performance. If the file size is too large, Splunk Cloud Platform blocks you from restoring data. If there is a potential performance impact, Splunk Cloud Platform displays a warning. Splunk Cloud Platform also prevents you from restoring data that overlaps with existing restored data.
  5. Enter an email address to send job status notifications. Splunk Cloud Platform will notify you when the restoration is complete.
  6. (Optional) If your time range includes data archived within the last 48 hours, toggle the Recently Archived Data switch to disable the default Exclude mode. When set to "Exclude" mode, DDAA skips restoration of data archived within the last 48 hours. Note that attempting to restore data that is not fully archived can cause data restoration to fail. For more information, see Troubleshoot Dynamic Data Active Archive.
  7. Click Restore when you have refined the file size or date range to acceptable limits.

    Note: After you initiate data restoration, it can take up to 24 hours before data is restored. If it takes longer than 24 hours, contact Splunk Technical Support.
  8. To check the status of your data restoration, click Splunk Archive in the Storage Type field to open the Archive page. To view the restore status, click the Restore tab. In the JobStatus field, you can see the status of your job:
  • Pending: The job has been submitted, but has not begun processing.
  • In progress: The job has been started, and is progressing.
  • Success
  • Cleared: You've successfully deleted the temporary archive from your index.
  • Expired: The restored data has passed the 30 day retention period and has been deleted from the index.
  • Failed: If you receive a Failed status, click the > button for the archive to display more details about why the restoration failed.

Steps to remove restored data from Splunk Cloud Platform

Splunk recommends you manually remove restored data when you are finished searching it.

Note: Restored data is a copy of the archived data, so you never need to move the data back to the archive, but for best performance, you should remove the temporarily restored data when you are done searching it.

To remove restored data:

  1. In Splunk Cloud, go to Settings > Indexes.
  2. Select the index with data you want to remove and click Restore to open the Restore Archive page.
  3. For the range of data you want to remove, select Clear in the Actions column.

When the data is successfully removed, the Jobstatus column displays a Cleared status.