Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Backup Search Head cluster

NSOCC
New Member
‎12-03-2019 06:40 AM

Hi,

I would like backup a "search head" in one cluster (The folder splunk/etc/). The search head is under linux with specific user for run backup.
For that, i used a script in bash.
This script is on windows machine and he use this command "PSCP.EXE -p -q -r -i keys name_machine@IP:folder_backup/"
He work for other machine splunk (Heavy forwarder). But on "search head" some folders are not backed up (its ramdom).

Maybe search head is under replicaiton so i need function "shadow copy" for few folders ?

Regards.

0 Karma
Reply

ivanreis
Builder
‎12-04-2019 04:14 PM

Hi NSOCC,

My suggestion is to stop splunk service and run the backup and after that start splunk service again. I believe the particular command does not work if there is some file opened.

According to the splunk documentation, you should backup the SHC state

https://docs.splunk.com/Documentation/CoE/ssf/Handbook/ConfigBackup#Guidelines_for_establishing_a_Sp...

"Back up at least one search head cluster (SHC) member periodically
As a best practice, periodically back up the SHC state to ensure you can restore knowledge objects in their current state in case of a catastrophic failure. For details about what to back up on the SHC and how, see Back up and restore search head cluster settings in the Splunk Enterprise Distributed Search manual."

Check this link here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/DistSearch/BackuprestoreSHC#Backup_the_search_hea...

Also there is an splunk app that only work on linux servers where you can use it to run a snapshot, but I did not work with this app.
https://splunkbase.splunk.com/app/4122/#/details

I hope this can help you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...