Manual backup restore

iexpertini · April 17, 2025, 10:27pm

Greetings,

We’re currently facing an issue with our Elasticsearch cluster, which consists of 8 nodes. Unfortunately, we accidentally “emptied” an index (my_index) from the cluster. While we don’t have a snapshot, we do have a backup of the entire Elasticsearch data folder. We attempted to restore the index data manually by copying it back into the appropriate UUID directory in the data folder.

However, after doing this and restarting the Elasticsearch service, the index is being automatically rewritten by the cluster with new data.

What We’ve Tried:

We excluded one of the nodes, "node-8_", from the cluster and tried pointing it to the data folder. Elasticsearch started, but we were unable to log in or reset the password. The error message kept saying the cluster health is not determined.
We also tried setting the discovery.seed to single-node mode, but this also didn’t work.

Current Situation:

The goal is to restore the original index data (my_index) and merge it with the new data that is currently being written to the index. Essentially, we want to retain the existing data from the backup and integrate it with the fresh data that is already being written to my_index.

My Question

Is there any way around this issue to restore the my_index and merge the old data with the new data?

Any help or advice on how to approach this would be greatly appreciated!

Thank you!

nguyenlethaihoang · April 18, 2025, 2:58am

Hi @iexpertini , let’s give this a shot—I’m not sure it’ll work, but here’s what I’d try:

Spin up a single-node ES instance using the same version (e.g. 8.x).
Copy your entire backup data/ directory into that node’s path.data.
In elasticsearch.yml, set:

cluster.name: restore-cluster
node.name: restore-node
path.data: /path/to/backup/data
discovery.type: single-node
xpack.security.enabled: false
network.host: 0.0.0.0
http.port: 9200

Start Elasticsearch—this node should pick up the old cluster state and bring back my_index.
Verify by hitting:

GET http://restore-node:9200/_cat/indices?v
GET http://restore-node:9200/my_index/_count

I hope you can fix your problem soon.

RainTown · April 18, 2025, 5:27pm

Do you know the number of primary / replica shards for that index, and where they were across your 8 nodes before you deleted the documents from the index?

IMO your best bet is to create a new 8-node cluster, maybe using VMs, copy your backup data into that new cluster, try to get your data back there.

If that succeeds, you can worry about how to merge with the "real" index in the production cluster.

Topic		Replies	Views
Deleted cluster,cant restore index from non-ES snapshot (disk backup) Elasticsearch	9	1372	July 5, 2017
Replay Data after deletion of Indices Elastic Community and Ecosystem	3	499	November 2, 2020
Manually import data from indices folder Elasticsearch	6	1697	December 2, 2021
Restore index from another cluster Elasticsearch	2	13449	March 6, 2019
Elasticsearch backup not recovering as intended Elasticsearch	1	247	July 6, 2017

Manual backup restore

What We’ve Tried:

Current Situation:

My Question

Related topics