Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: How to backup all data Splunk has indexed?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to backup all data Splunk has indexed?
Hi everyone!
I would like to do a quick and dirty backup of all of my data Splunk has ever indexed. Am I fine to stop Splunk, then just take a copy of everything under $SPLUNK_HOME/var/lib/splunk ?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you changed any of default path in index.conf? if not the actual db path will be,
$SPLUNK_HOME/var/lib/splunk /*
So I would say simply back-up the folder after shutdown the splunk service(preferred) .
Steps would be,
- run the above command suggested by @areeter something like this
| rest /services/data/indexes | stats values(*expanded) as * by title - make sure the path are same
$SPLUNK_HOME/var/lib/splunk/. - Stop the server
./splunk stop - backup the path,
cp index_pah new_path
Hope this will helps you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cheers for that.
In that second link it states: For smaller amounts of data, shut down Splunk and just make a copy of your database directories before performing the upgrade... Where is that DB directory? Under $SPLUNK_HOME/var/lib/splunk ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The default location for indexes is $SPLUNK_HOME/var/lib/splunk, but when you create an index you have options to store the Home Path, Cold Path and Thawed Path elsewhere. Querying the index rest endpoint will give you a lot of information regarding your indexes, including their paths. Try the search command
| rest /services/data/indexes
and you should see what you need to backup.
Dave
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
