Knowledge Management

Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.


Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.
We have a tool in the company that does this, however when i tired to test this SPLUNK started up the index were empty.
Then i read on the SPLUNK Web about Back-up Steps, however i was hoping for a way that i could take the full directory and not to run different steps etc...

At the moment the workaround is to STOP splunk do the back up and then start SPLUNK. However this is not great.

Is there anyway to do a HOT backup (from the file system) when SPLUNK is still up and copy something that will come back to life (If i miss 1 hours of data its not the end of the world for us)

Any help would be great 🙂

Tags (1)
0 Karma

Ultra Champion

hope you found an answer already, just in case you did not and to answer the question here:
the challenge here is that hot buckets are open for writes and constantly change as data is written to.
you can specify your backup to ignore those. so you will copy / backup. check this link regarding buckets naming conventions:
if your indexers are not clustered, you will backup buckets that are not: hot_<N>_guid
to get the best latest backup, you can restart splunk before the backup, this will roll all hot buckets to warm and seal them so they cant be written to.
as you mentioned, if you miss 1 hour of data in the backup its not the end of the world
hope it helps

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...