We are using this https://splunkbase.splunk.com/app/5328/. Of course you can use that splunk backup kvstore from command line, but then you must add user + password somewhere in plain text, which is something that I don't like.
How often you should run this? That depends on how active your kvstore is and how long RPO is.
Sir, which servers do have KVstores that are worth backing up using this tool & how often do I back the KVstores on the Splunk servers? Thank u in advance.
This isn't really a question that anyone can answer for you. This is basically something that you need to answer yourself. I'd base the frequency based on how much data in the kvstore(s) you can lose in the instance of a failure, as well as the storage that you're willing to use for backups.
Thank u for your message. I know KVstores are specific for Ent. Security app. but are there other KVstores on other Splunk servers worth backing up ? Which ones please. Thank u sir.
You must backup at least your SHC nodes. And also I propose to backup other SH nodes too. Of course if you have kvstore in use on other nodes also, you should backup those too.
Thank u sir as always for your expert help. One more question. Should I be installing the app # 5328 on each server individually to back up the KVstores please? Thank u
