We are planning to decommission on-prem Splunk Ent 8.0.
can anyone advise on how to backup and archive existing Splunk Indexed data for future reference?
also if we have to open this archived data in the future then how we can open it without Splunk.
We have 1xSH, 1xIndexer, 2 HF all are 8.0.
If you're absolutely sure you won't be using Splunk anymore and want to have the raw data available for any "external" means of searching/processing you could also simply search for all data across all indexes and export the results either as raw events into flat files or events with metadata into csv/json/xml.
Exporting data to human readable form of course has its pros as well as cons - if you'd ever want to use splunk again to search your data you'd have to re-ingest and re-index it. Which of course would affect your license limits.
And remember that if you restore your splunk environment backup some time in the future you might hit retention periods!
You can just use your favourite backup/archive tools to put that data (usually under /opt/splunk/var/lib/splunk + /opt/splunk/etc) to safe place.
If you haven't splunk when you are needing that data you "can" look those files under .../var/lib/splunk/..../rawdata/journal.gz (or other way zipped file) with correct tools. Those are just compressed text files which you can look any suitable tool. BUT found anything special from there is a totally another story.....
You can check the below documents for archive and restore processes.
Since you have a single indexer, all data is there.
You will need to use Splunk for restoring data, but Enterprise Trail version or Free version will be enough.