We are trying to automate KV Store backup/restore but there is something I do not understand yet.
Prior 6.5.3, you had to stop the Search Head, then backup the KV Store directory. (https://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/BackupKVstore)
Now, there is an handy dedicated command for that which is great. (https://docs.splunk.com/Documentation/Splunk/7.2.8/Admin/BackupKVstore
I am lost with the size difference thought.
On our Search Head, KV Store directory weight ~1 GB.
When I check our KV Store collections from the Monitoring Console, it weights less than 20 MBs total.
When I try to backup using the backup command, the output weight a few MBs, which fits well with what I see from the Monitoring COnsole.
So I am wondering why the size difference is so big between both methods. What would I loose if I restore the KV Store with the lightweight few MBs backup to a reconstructed Search Head?
Any clue ?
Thanks in advance!