Skip to content

Data Restoration

More information about restoring Elasticsearch data can be found here.

Considerations

Keep the following in mind when restoring data from a snapshot:

  • You can only restore an existing index if it’s closed and the index in the snapshot has the same number of primary shards.
  • You cannot restore an existing open index.
  • The restore operation automatically opens restored indices.

To get a list of available snapshots ordered by descending start time, use the following commands:

  • GET _snapshot/continuous_backup/*?order=desc
  • GET _snapshot/retention_backup/*?order=desc

To get a list of available snapshots from a specific date, use the following commands:

  • GET _snapshot/continuous_backup/fam-backup-2022.08.02-*?verbose=false
  • GET _snapshot/retention_backup/retention_backup-2022.08.02-*?verbose=false

Restore a Deleted Index

To restore a deleted index or indices, find the specific snapshots which contain the index you want to restore.

  POST _snapshot/retention_backup/retention-backup-2022.08.01-00:10:00/_restore
  {  
  "indices": "events_2022_07_2, events_2022_05_1"
  }

Restore an Existing Index

If you need to restore an existing index, there are two preferable ways to do it:

1. Delete and Restore

For more information, refer to the Elasticsearch documentation on delete and restore.

In case you only need to restore a specific index, the simplest way to avoid conflicts is to delete the existing index before restoring it.

Example: DELETE pii-1, pii-8

In the restore request, explicitly specify the repository name, snapshot name, and any indices to restore.

  POST _snapshot/continuous_backup/fam-backup-2022.08.03-09:00:00-fv59i0lpqjipxdtcwirs8a/_restore
  {  
  "indices": "pii-1", "pii-8"
  }

2. Rename and Restore

For more information, refer to the Elasticsearch documentation on rename on restore.

If you want to avoid deleting existing data, you can instead rename the indices you restore. This method is typically used to compare existing data to historical data from a snapshot. For example, you can use this method to review documents after an accidental update or deletion.

  POST _snapshot/my_repository/my_snapshot_2099.05.06/_restore
  {  
  "indices": "my-index,logs-my_app-default",  
  "rename_pattern": "(.+)",  
  "rename_replacement": "restored-$1"
  }

When the restore operation is complete, you can compare the original and restored data. If you no longer need the original index, you can delete it and use a reindex operation to rename the restored one.

To delete the original index: DELETE my-index

To reindex the restored index and rename it: POST _reindex

     {  
     "source": {    
        "index": "restored-my-index"  
     },  
     "dest": {    
        "index": "my-index"  
     }
     }

Restore an Entire Cluster

Caution

This should only be used in case of a failure.

Note

File Access Manager recommends reading the Elasticsearch guide first which can be accessed here.

Temporarily stop indexing and turn off the following features:

GeoIP database downloader

      PUT _cluster/settings
{  
  "persistent": {    
    "ingest.geoip.downloader.enabled": false  
  }
}

ILM

     `POST _ilm/stop`

Monitoring

   PUT _cluster/settings
{  
  "persistent": {    
    "xpack.monitoring.collection.enabled": false  
  }
}

Machine Learning

POST _ml/set_upgrade_mode?enabled=true

Watcher

POST _watcher/_stop

Use the cluster update settings API to set action.destructive_requires_name to false. This allows you delete data streams and indices using wildcards.

PUT _cluster/settings
{  
  "persistent": {    
    "action.destructive_requires_name": false  
  }
}
Delete all existing data streams on the cluster.

  `DELETE _data_stream/*?expand_wildcards=all`

Delete all existing indices on the cluster.

  `DELETE *?expand_wildcards=all`

Restore the entire snapshot, including the cluster state. By default, restoring the cluster state also restores any feature states in the snapshot.

  POST _snapshot/my_repository/my_snapshot_2099.05.06/_restore
  {  
  "indices": "*",  
  "include_global_state": true
  }

Note

Restore request return immediately. The restore happens in the background and the user needs to wait while it completes.

The GET _cluster/health request can be used to monitor Cluster Health and restore progress.

When the restore operation is complete, resume indexing and restart any features you stopped:

GeoIP database downloader 

PUT _cluster/settings
{  
  "persistent": {    
    "ingest.geoip.downloader.enabled": true  
  }
}

ILM

POST _ilm/start

***Machine Learning**

POST _ml/set_upgrade_mode?enabled=false

Monitoring 

PUT _cluster/settings
{  
 "persistent": {    
  "xpack.monitoring.collection.enabled": true  
 }
}

Watcher

POST _watcher/_start

Reset the action.destructive_requires_name cluster setting. 

PUT _cluster/settings
{  
 "persistent": {    
  "action.destructive_requires_name": null  
 }
}