Knowledge Management

Is it possible to restore a KV store by overwriting the mongo folder contents backend?

andrewtrobec
Motivator

Hello,

I accidentally cleaned a KV store and I don't have the source data to recreate it.  I do have backups of the /var/lib/splunk/kvstore/mongo directory.

Is it possible to overwrite the contents of the now empty KV store by copying the contents of my backup into the mongo folder backend?

Thanks!

Andrew

Labels (1)
Tags (3)
0 Karma
1 Solution

andrewtrobec
Motivator

 I found as solution that works for me and involves loading the backup into a local mongo and exporting what i need to a csv file.  Here are  the steps:

 

This was done with mongo from Splunk 7.3.5, recover on win10 workstation

  1. Obtain copy of KV store (default location /opt/splunk/var/lib/splunk/kvstore/mongo/) and place in local directory (ex. C:\mongo_backup)
  2. Download MongoDB community edition 3.6.x (https://www.mongodb.com/download-center/community/releases)
  3. Install as admin with default settings. Install MongoDBCompass as well (you will be prompted during install)
  4. Run CMD as admin and browse to MongoDB bin directory (C:\Program Files\MongoDB\Server\3.6\bin)
  5. Launch mongod process on mongo backup: mongod --dbpath C:\mongo_backup (CMD window will remain open)
  6. Launch MongoDBCompass
  7. Connect to mongod process by clicking CONNECT (you don't need to specify connection string, it automatically assumes localhost on default port)
  8. From the database list that appears, select the one to export
  9. Select the collection inside the db to view database
  10. On the right hand side of the green "ADD DATA" button click the "Export Collection" icon
  11. Select "Export Full Collection" and click "SELECT FIELDS"
  12. Select the fields to export and click "SELECT OUTPUT"
  13. Select export format, specify filename, and click "EXPORT"

I will now take the export (csv in my case) load it into Splunk and write to the KV store.

Hope this provides some useful info for others with my problem.

Regards,

Andrew

View solution in original post

andrewtrobec
Motivator

 I found as solution that works for me and involves loading the backup into a local mongo and exporting what i need to a csv file.  Here are  the steps:

 

This was done with mongo from Splunk 7.3.5, recover on win10 workstation

  1. Obtain copy of KV store (default location /opt/splunk/var/lib/splunk/kvstore/mongo/) and place in local directory (ex. C:\mongo_backup)
  2. Download MongoDB community edition 3.6.x (https://www.mongodb.com/download-center/community/releases)
  3. Install as admin with default settings. Install MongoDBCompass as well (you will be prompted during install)
  4. Run CMD as admin and browse to MongoDB bin directory (C:\Program Files\MongoDB\Server\3.6\bin)
  5. Launch mongod process on mongo backup: mongod --dbpath C:\mongo_backup (CMD window will remain open)
  6. Launch MongoDBCompass
  7. Connect to mongod process by clicking CONNECT (you don't need to specify connection string, it automatically assumes localhost on default port)
  8. From the database list that appears, select the one to export
  9. Select the collection inside the db to view database
  10. On the right hand side of the green "ADD DATA" button click the "Export Collection" icon
  11. Select "Export Full Collection" and click "SELECT FIELDS"
  12. Select the fields to export and click "SELECT OUTPUT"
  13. Select export format, specify filename, and click "EXPORT"

I will now take the export (csv in my case) load it into Splunk and write to the KV store.

Hope this provides some useful info for others with my problem.

Regards,

Andrew

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...