Restore a new account

When you restore archived logs, those logs are re-ingested into a temporary restored account that you can search from your main account. Restoring archived logs allows you to see your data in its original detail, so you can investigate events in Kibana that are older than your plan’s retention period.

To restore and view archived logs

Before you begin, you’ll need: Archiving enabled, archived logs in your S3 bucket

Make your preparations

There are a few things you need to check before you begin the process.

  1. Double-check your Drop filters to make sure logs you need won’t be filtered.

    If you’re planning to restore logs that could be dropped by your drop-filters, you’ll need to first make the necessary changes to your drop-filters before restoring. Otherwise the logs will just be dropped right after they are restored, and before they reach your account.

  2. There’s a 100 GB limit on restoring from archive from the AWS side. If you exceed this limit, the restore will fail at the end of the process.

    To avoid this outcome, we recommend calculating the volume of logs you are about to restore to make sure it is under the limit. You can make a rough calculation by looking at the daily volume of logs you ship against the number of hours you intend to restore.

    You can look up your account’s volume analysis here.

If you disabled any drop-filters in the first step, expect your restore to be larger than shown in your volume analysis.

Restore your archives

In the Restore tab, give your restored account a Name, choose a Time range of up to 24 hours, and click Restore.

The time it takes to restore your archives depends on a few factors, so there’s no way to know how long your re-ingestion will take.

You’ll receive an email when the restored account is ready.

As an informal guideline, if you’re restoring an hour’s worth of data, go have a cup of coffee. If you’re restoring a day’s worth of data, take a long lunch break.

Explore the restored account in Kibana

Open the email that says your restored account is ready for you and click View in Kibana. This link takes you to Kibana in your main account, but a view that shows only the data from the restored account.

If you need to filter Kibana manually, choose the new restored account in the Selected Accounts box, and then select your data’s original Time Range.

Now you’re ready to search your restored account! Just be aware of the expiration—once the restored account expires after 5 days, you’ll have to restore it if you need it again.