Deployment Architecture

Backup Search Head cluster

New Member


I would like backup a "search head" in one cluster (The folder splunk/etc/). The search head is under linux with specific user for run backup.
For that, i used a script in bash.
This script is on windows machine and he use this command "PSCP.EXE -p -q -r -i keys name_machine@IP:folder_backup/
He work for other machine splunk (Heavy forwarder). But on "search head" some folders are not backed up (its ramdom).

Maybe search head is under replicaiton so i need function "shadow copy" for few folders ?


0 Karma



My suggestion is to stop splunk service and run the backup and after that start splunk service again. I believe the particular command does not work if there is some file opened.

According to the splunk documentation, you should backup the SHC state

"Back up at least one search head cluster (SHC) member periodically
As a best practice, periodically back up the SHC state to ensure you can restore knowledge objects in their current state in case of a catastrophic failure. For details about what to back up on the SHC and how, see Back up and restore search head cluster settings in the Splunk Enterprise Distributed Search manual."

Check this link here:

Also there is an splunk app that only work on linux servers where you can use it to run a snapshot, but I did not work with this app.

I hope this can help you.

0 Karma