Splunk Enterprise Security

Why I need to backup Indexes,Configuration files etc..

Explorer

Hi Splunkers,

I have a concern where splunk says "If you use a .tar file, expand it into the same directory with the same ownership as your existing Splunk Enterprise instance. This overwrites and replaces matching files but does not remove unique files"

Does it mean I'm safe to go without backing up my data?

Note: we have data indexes at different location(NOT at default /opt/splunk/var/lib/splunk) except for internal indexes.

Also can I upgrade with tar ball on top of rpm(installed previously).

Any help is highly appreciated

Thanks,
Pramodh

0 Karma
1 Solution

Contributor

Hi Pramodh,
I will try to answer as precise as possible, based on how I would handle this myself:

"Also can I upgrade with tar ball on top of rpm(installed previously)."
On linux you can "upgrade" a splunk installation by extracting the tar ball on top of the existing installation. After the upgrade, you may need to re-accept the license agreement the first time you start up Splunk. Also, at the first start, Splunk may do things to upgrade its configurations and internal data structures. Your index data itself will most likely not be affected, your index metadata most likely will be affected. Last, but not least, you need to make sure that the /opt/splunk tree has the right ownership, especially if you do run splunk as a non-root user.

"Does it mean I'm safe to go without backing up my data?"
No, it is never safe to do an upgrade without previously saving the .../etc directory with your settings. The Splunk statement above implies that, if you have followed best practices and did not change any files in the ../default directories but did all local configurations in the ../local directories, then you will not loose any of your own configurations because the tar ball does not contain any ../local paths.

Best regards
Oliver

View solution in original post

Esteemed Legend

Your question is very vague but perhaps you are asking about upgrading Splunk using tarball instead of rpm. Very generally, you are correct; upgrading this way should preserve your custom configuration settings, assuming you did the proper thing and NEVER modified any Splunk files in any default directory. However, you are taking way too big of a risk not doing backups before an upgrade. At a minimum, you should do a diag on each box and backup the KV Store. In general, when preparing for an upgrade, the more/broader the backups the better.

Explorer

I accept this answer as well , many thanks

0 Karma

Contributor

Hi Pramodh,
I will try to answer as precise as possible, based on how I would handle this myself:

"Also can I upgrade with tar ball on top of rpm(installed previously)."
On linux you can "upgrade" a splunk installation by extracting the tar ball on top of the existing installation. After the upgrade, you may need to re-accept the license agreement the first time you start up Splunk. Also, at the first start, Splunk may do things to upgrade its configurations and internal data structures. Your index data itself will most likely not be affected, your index metadata most likely will be affected. Last, but not least, you need to make sure that the /opt/splunk tree has the right ownership, especially if you do run splunk as a non-root user.

"Does it mean I'm safe to go without backing up my data?"
No, it is never safe to do an upgrade without previously saving the .../etc directory with your settings. The Splunk statement above implies that, if you have followed best practices and did not change any files in the ../default directories but did all local configurations in the ../local directories, then you will not loose any of your own configurations because the tar ball does not contain any ../local paths.

Best regards
Oliver

View solution in original post

Explorer

Many Thanks for detailing

0 Karma

SplunkTrust
SplunkTrust

Backups are a good practice in case something goes wrong. It's correct that the tar will only overwrite configurations found in default and not local, but I would not suggest going without a backup of your $SPLUNK_HOME/etc directory.

Skalli