Deployment Architecture

Splunk instances decommission and backup/archive

abhic25
Explorer

hi Experts,

We are planning to decommission on-prem Splunk Ent 8.0.

can anyone advise on how to backup and archive existing Splunk Indexed data for future reference?

also if we have to open this archived data in the future then how we can open it without Splunk.

We have 1xSH, 1xIndexer, 2 HF all are 8.0.

  

0 Karma

PickleRick
Ultra Champion

If you're absolutely sure you won't be using Splunk anymore and want to have the raw data available for any "external" means of searching/processing you could also simply search for all data across all indexes and export the results either as raw events into flat files or events with metadata into csv/json/xml.

Exporting data to human readable form of course has its pros as well as cons - if you'd ever want to use splunk again to search your data you'd have to re-ingest and re-index it. Which of course would affect your license limits.

And remember that if you restore your splunk environment backup some time in the future you might hit retention periods!

0 Karma

abhic25
Explorer

thanks @isoutamo and @scelikok  I will keep  /opt/splunk/var/lib/splunk + /opt/splunk/etc) to safe place. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You can just use your favourite backup/archive tools to put that data (usually under /opt/splunk/var/lib/splunk + /opt/splunk/etc) to safe place. 

If you haven't splunk when you are needing that data you "can" look those files under .../var/lib/splunk/..../rawdata/journal.gz (or other way zipped file) with correct tools. Those are just compressed text files which you can look any suitable tool. BUT found anything special from there is a totally another story.....

r. Ismo

scelikok
SplunkTrust
SplunkTrust

Hi @abhic25,

You can check the below documents for archive and restore processes. 

Since you have a single indexer, all data is there. 

https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Backupindexeddata

https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Restorearchiveddata

You will need to use Splunk for restoring data, but Enterprise Trail version or Free version will be enough. 

If this reply helps you an upvote is appreciated.
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...