Deployment Architecture

Backup Search Head cluster

NSOCC
New Member

Hi,

I would like backup a "search head" in one cluster (The folder splunk/etc/). The search head is under linux with specific user for run backup.
For that, i used a script in bash.
This script is on windows machine and he use this command "PSCP.EXE -p -q -r -i keys name_machine@IP:folder_backup/
"
He work for other machine splunk (Heavy forwarder). But on "search head" some folders are not backed up (its ramdom).

Maybe search head is under replicaiton so i need function "shadow copy" for few folders ?

Regards.

0 Karma

ivanreis
Builder

Hi NSOCC,

My suggestion is to stop splunk service and run the backup and after that start splunk service again. I believe the particular command does not work if there is some file opened.

According to the splunk documentation, you should backup the SHC state

https://docs.splunk.com/Documentation/CoE/ssf/Handbook/ConfigBackup#Guidelines_for_establishing_a_Sp...

"Back up at least one search head cluster (SHC) member periodically
As a best practice, periodically back up the SHC state to ensure you can restore knowledge objects in their current state in case of a catastrophic failure. For details about what to back up on the SHC and how, see Back up and restore search head cluster settings in the Splunk Enterprise Distributed Search manual."

Check this link here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/DistSearch/BackuprestoreSHC#Backup_the_search_hea...

Also there is an splunk app that only work on linux servers where you can use it to run a snapshot, but I did not work with this app.
https://splunkbase.splunk.com/app/4122/#/details

I hope this can help you.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...