Knowledge Management

Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.


Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.
We have a tool in the company that does this, however when i tired to test this SPLUNK started up the index were empty.
Then i read on the SPLUNK Web about Back-up Steps, however i was hoping for a way that i could take the full directory and not to run different steps etc...

At the moment the workaround is to STOP splunk do the back up and then start SPLUNK. However this is not great.

Is there anyway to do a HOT backup (from the file system) when SPLUNK is still up and copy something that will come back to life (If i miss 1 hours of data its not the end of the world for us)

Any help would be great 🙂

Tags (1)
0 Karma

Ultra Champion

hope you found an answer already, just in case you did not and to answer the question here:
the challenge here is that hot buckets are open for writes and constantly change as data is written to.
you can specify your backup to ignore those. so you will copy / backup. check this link regarding buckets naming conventions:
if your indexers are not clustered, you will backup buckets that are not: hot_<N>_guid
to get the best latest backup, you can restart splunk before the backup, this will roll all hot buckets to warm and seal them so they cant be written to.
as you mentioned, if you miss 1 hour of data in the backup its not the end of the world
hope it helps

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...