We are trying to automate KV Store backup/restore but there is something I do not understand yet.
Prior 6.5.3, you had to stop the Search Head, then backup the KV Store directory. (https://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/BackupKVstore)
Now, there is an handy dedicated command for that which is great. (https://docs.splunk.com/Documentation/Splunk/7.2.8/Admin/BackupKVstore
I am lost with the size difference thought.
On our Search Head, KV Store directory weight ~1 GB.
When I check our KV Store collections from the Monitoring Console, it weights less than 20 MBs total.
When I try to backup using the backup command, the output weight a few MBs, which fits well with what I see from the Monitoring COnsole.
So I am wondering why the size difference is so big between both methods. What would I loose if I restore the KV Store with the lightweight few MBs backup to a reconstructed Search Head?
Any clue ?
Thanks in advance!
Because nothing compresses the backend mongo DB logs, etc on disc. The only way to shrink the kvstore is back it up, clear it and restore.
View solution in original post
Thanks @starcher !
It worked like a charm indeed!