Deployment Architecture

How can I take Backup of My Saved Searches,Macros and Index Data ?

ajayabburi508
Path Finder

Hi All,

I am trying to move my entire project code into another server .So how can i arrange that set up .
Mainly What i want is How can i take saved searches backup ,macros backup and index backup with out creating again.

mayurr98
Super Champion

hey
All Splunk's configuration information is contained in configuration files. To back up the set of configuration files, make an archive or copy of $SPLUNK_HOME/etc/. This directory, along with its subdirectories, contains all the default and custom settings for your Splunk install, and all apps, including saved searches, user accounts, tags, custom source type names, and other configuration information.

Copy this directory to a new Splunk instance to restore. You don't have to stop Splunk to do this.

For more information about configuration files, read "About configuration files".

let me know if this helps!

ajayabburi508
Path Finder

Yes mayurr98 ,its help me alot

0 Karma

mayurr98
Super Champion

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma

ajayabburi508
Path Finder

Thanks Elsurion .

what about index data backup?

Elsurion
Communicator

The indexes are stored (normaly) under

/opt/splunk/var/lib/splunk/<your_index>

When you want to move this data as well just follow this short howto.

  • stop the splunk indexer on the destination
  • Check that you don't getting new data in on the old location, otherwise you will have some holes in the data.
  • delete any existing data of the index you want to copy on the destination system
  • copy the index folder from the old location to the new location, keep the paths the same.
  • copy the .dat file from /opt/splunk/var/lib/splunk/ to the new location, overwrite it when existing.
  • start splunk indexer on the destination.
  • Check the startup messages if any error occured.
  • Check the data within splunk

Do not move the Data from A to B, since it could be that you make a mistake and in that case you would loos all data.

0 Karma

ajayabburi508
Path Finder

Thanks Elsurion

0 Karma

Elsurion
Communicator

It depends if the saved searches etc is your private or in an app.

if private then you could move just your own folder under

/opt/splunk/etc/users/<your_user>

to the new Server.

If it is an app then you should move the whole app you want to move to the new server

/opt/splunk/etc/apps/<your_app>

ajayabburi508
Path Finder

Thanks Elsurion for your reply.

if i copied entire app into another server will it automatically move all saved searches and macros into my new server app ? and what about index data back up bro ???

0 Karma

Elsurion
Communicator

When the saved searches are stored in the app context yes, if not move them in the correct app context. either by move it from the wrong app to the correct or with the permissions from private to app.

When you save a search you can set the permissions, where you have three options.

  • Owner (Private)
  • App (App Context)
  • App apps (App Context)

When you copy the app to the new location and restart splunk, splunk will read the added configuration and add it to the available stuff.

The point about the indexed data will be answered in the other answer related to the question.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...