Knowledge Management

Is it possible to restore a KV store by overwriting the mongo folder contents backend?

andrewtrobec
Motivator

Hello,

I accidentally cleaned a KV store and I don't have the source data to recreate it.  I do have backups of the /var/lib/splunk/kvstore/mongo directory.

Is it possible to overwrite the contents of the now empty KV store by copying the contents of my backup into the mongo folder backend?

Thanks!

Andrew

Labels (1)
Tags (3)
0 Karma
1 Solution

andrewtrobec
Motivator

 I found as solution that works for me and involves loading the backup into a local mongo and exporting what i need to a csv file.  Here are  the steps:

 

This was done with mongo from Splunk 7.3.5, recover on win10 workstation

  1. Obtain copy of KV store (default location /opt/splunk/var/lib/splunk/kvstore/mongo/) and place in local directory (ex. C:\mongo_backup)
  2. Download MongoDB community edition 3.6.x (https://www.mongodb.com/download-center/community/releases)
  3. Install as admin with default settings. Install MongoDBCompass as well (you will be prompted during install)
  4. Run CMD as admin and browse to MongoDB bin directory (C:\Program Files\MongoDB\Server\3.6\bin)
  5. Launch mongod process on mongo backup: mongod --dbpath C:\mongo_backup (CMD window will remain open)
  6. Launch MongoDBCompass
  7. Connect to mongod process by clicking CONNECT (you don't need to specify connection string, it automatically assumes localhost on default port)
  8. From the database list that appears, select the one to export
  9. Select the collection inside the db to view database
  10. On the right hand side of the green "ADD DATA" button click the "Export Collection" icon
  11. Select "Export Full Collection" and click "SELECT FIELDS"
  12. Select the fields to export and click "SELECT OUTPUT"
  13. Select export format, specify filename, and click "EXPORT"

I will now take the export (csv in my case) load it into Splunk and write to the KV store.

Hope this provides some useful info for others with my problem.

Regards,

Andrew

View solution in original post

andrewtrobec
Motivator

 I found as solution that works for me and involves loading the backup into a local mongo and exporting what i need to a csv file.  Here are  the steps:

 

This was done with mongo from Splunk 7.3.5, recover on win10 workstation

  1. Obtain copy of KV store (default location /opt/splunk/var/lib/splunk/kvstore/mongo/) and place in local directory (ex. C:\mongo_backup)
  2. Download MongoDB community edition 3.6.x (https://www.mongodb.com/download-center/community/releases)
  3. Install as admin with default settings. Install MongoDBCompass as well (you will be prompted during install)
  4. Run CMD as admin and browse to MongoDB bin directory (C:\Program Files\MongoDB\Server\3.6\bin)
  5. Launch mongod process on mongo backup: mongod --dbpath C:\mongo_backup (CMD window will remain open)
  6. Launch MongoDBCompass
  7. Connect to mongod process by clicking CONNECT (you don't need to specify connection string, it automatically assumes localhost on default port)
  8. From the database list that appears, select the one to export
  9. Select the collection inside the db to view database
  10. On the right hand side of the green "ADD DATA" button click the "Export Collection" icon
  11. Select "Export Full Collection" and click "SELECT FIELDS"
  12. Select the fields to export and click "SELECT OUTPUT"
  13. Select export format, specify filename, and click "EXPORT"

I will now take the export (csv in my case) load it into Splunk and write to the KV store.

Hope this provides some useful info for others with my problem.

Regards,

Andrew

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...