Deployment Architecture

backup and restore

perlish
Communicator

how can I backup config and data,then restore them ?
config:user,permition,search,view,app and so on.
data:history log data,app data

Tags (2)
0 Karma

bmacias84
Champion

By data are you referring to _internal and other indices? If you don't already know splunk indices are made of four buckets: hot, warm, cold, frozen. In general you can backup up all of your index's buckets with the exception of the "hot" bucket as splunk is actively writing to the hot bucket.

So what is your back up straegy, incremental or full? If you want to perform full backups with hot buckets you will need to use a snapshot utility. If you do not have the ability or facilities you can manually roll your hot buckets to warm using the command below and backing up your warm buckets and/or other buckets.


splunk _internal call /data/indexes/<index_name>/roll-hot-buckets

If you are using Splunk 5.x you can use cluster repllication as your backup straegy.

As for .conf files which contain all my configutions, I have built mutliple Splunk Apps and Technology Add-ons (TAs) that are deployed by the Deployment Server so config files are not edit locally. My apps are contained in source control and backed up. Alternatively you could backup Deployment Server deploment apps directly and serverclass.conf. Also don't forget to backup your knowledge objects $SPLUNK_HOME\etc\users.

Since I use LDAP authenication and have user roles mapped within an app I dont worry about User and Permissions.

To sum it up in general you should backup the following:

  • Indices (always before an upgrade)
  • Knowledge objects
  • .conf files (custom apps or locally defined)

For restoring I would deploy all my confile first and copy indices to the same directory structure.

additional Reading

WhatisSplunkknowledge

Backupindexeddata

Aboutdeploymentserver

Hope this helps and gets you started, but this is really a can a worms depending on your operational reqirements and mandates. If this helps don't for get to accept and vot it up.

Cheers,

ChrisG
Splunk Employee
Splunk Employee

There are two topics in the documentation you should look at:

  1. Back up configuration information in the Admin Manual
  2. Back up indexed data (and the topics that follow it) in the Managing Indexers and Clusters manual.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...