When you restore archived logs, those logs are re-ingested into a temporary account. You can search restored accounts directly from your main Logs account. Restoring archived logs allows you to see your data in its original detail, so you can investigate events in OpenSearch Dashboards that are older than your plan’s retention period.
- The maximum data to restore is equivalent to your account’s daily reserved volume, no more than 100 GB.
- If the restore process exceeds the max, the process will fail.
- Data can be restored from the root of an S3 bucket, but not a sub-bucket path.
To restore and view archived logs
Before you begin, you’ll need: Archiving enabled, archived logs in your S3 bucket
Restore your archives
Your existing drop filters will not apply when restoring data. Instead, use the optional filters to control which data to restore.
In the Restore data tab, give your restored account a Name, and choose a Time range of up to 24 hours.
Next, you can use filters to control and limit which data you’d like to restore by applying filters. Your restored logs will only include data that matches all of your filters.
To add a filter, click on Add a filter and choose the relevant field, operator, and value.
You can choose between the following operators:
- is - Pull logs that match the exact value
- is not - Pull logs that don’t contain the exact value
- is one of - Pull logs that contain one or more of the values
- is not one of - Pull logs that don’t contain one or more of the values
- exists - Pull all logs that contain the selected field
- does not exist - Pull all logs that don’t contain the selected field
Note that you can add up to 7 filters per restore process.
If you want to remove one of the filters you’ve created, click on the X next to its name.
Click on Restore to begin the restoring process. It might take a while to restore your archived data, according to the number of logs and size. For example, an hour’s worth of data might take a few minutes, while a day’s worth of data could take up to a few hours.
Once the restored account is ready, you’ll receive a notification via email.
Your restored account will remain available for 5 days. If you want to explore the data after the restore has expired, you’ll have to restore it again.
Explore the restored account in OpenSearch Dashboards
Open the email that says your restored account is ready for you and click View in OpenSearch Dashboards. This link takes you to OpenSearch Dashboards in your main account, but a view showing only the restored account’s data.
If you need to filter OpenSearch Dashboards manually, choose the newly restored account in the Selected Accounts box, and then select your data’s original Time Range.
Now you’re ready to search your restored account!