Deployment Architecture

Splunk instances decommission and backup/archive

abhic25
Explorer

hi Experts,

We are planning to decommission on-prem Splunk Ent 8.0.

can anyone advise on how to backup and archive existing Splunk Indexed data for future reference?

also if we have to open this archived data in the future then how we can open it without Splunk.

We have 1xSH, 1xIndexer, 2 HF all are 8.0.

  

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you're absolutely sure you won't be using Splunk anymore and want to have the raw data available for any "external" means of searching/processing you could also simply search for all data across all indexes and export the results either as raw events into flat files or events with metadata into csv/json/xml.

Exporting data to human readable form of course has its pros as well as cons - if you'd ever want to use splunk again to search your data you'd have to re-ingest and re-index it. Which of course would affect your license limits.

And remember that if you restore your splunk environment backup some time in the future you might hit retention periods!

0 Karma

abhic25
Explorer

thanks @isoutamo and @scelikok  I will keep  /opt/splunk/var/lib/splunk + /opt/splunk/etc) to safe place. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You can just use your favourite backup/archive tools to put that data (usually under /opt/splunk/var/lib/splunk + /opt/splunk/etc) to safe place. 

If you haven't splunk when you are needing that data you "can" look those files under .../var/lib/splunk/..../rawdata/journal.gz (or other way zipped file) with correct tools. Those are just compressed text files which you can look any suitable tool. BUT found anything special from there is a totally another story.....

r. Ismo

scelikok
SplunkTrust
SplunkTrust

Hi @abhic25,

You can check the below documents for archive and restore processes. 

Since you have a single indexer, all data is there. 

https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Backupindexeddata

https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Restorearchiveddata

You will need to use Splunk for restoring data, but Enterprise Trail version or Free version will be enough. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...