Hi everyone!
I would like to do a quick and dirty backup of all of my data Splunk has ever indexed. Am I fine to stop Splunk, then just take a copy of everything under $SPLUNK_HOME/var/lib/splunk
?
Thanks!
have you changed any of default path in index.conf? if not the actual db path will be,
$SPLUNK_HOME/var/lib/splunk /*
So I would say simply back-up the folder after shutdown the splunk service(preferred) .
Steps would be,
| rest /services/data/indexes | stats values(*expanded) as * by title
$SPLUNK_HOME/var/lib/splunk/
../splunk stop
cp index_pah new_path
Hope this will helps you.
Cheers for that.
In that second link it states: For smaller amounts of data, shut down Splunk and just make a copy of your database directories before performing the upgrade... Where is that DB directory? Under $SPLUNK_HOME/var/lib/splunk ?
The default location for indexes is $SPLUNK_HOME/var/lib/splunk, but when you create an index you have options to store the Home Path, Cold Path and Thawed Path elsewhere. Querying the index rest endpoint will give you a lot of information regarding your indexes, including their paths. Try the search command
| rest /services/data/indexes
and you should see what you need to backup.
Dave