Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Restore KVStore if we do not have splunk kvstore backup

vksplunk1
Explorer
‎02-18-2025 02:03 PM

Hi - We have accidentally deleted kvstore with outputlookup command. We do not have a backup from splunk.

 

How to Restore KVStore from back up of  splunk home( /opt/splunk )directory backup

Labels (1)
Labels
0 Karma
Reply

kiran_panchavat
Influencer
‎02-18-2025 09:50 PM

@vksplunk1 

The KV store isn’t very reliable, so it's best to back it up regularly.

1. Some apps store their lookups in the kvstore. (collections.conf)

2. Some apps store all their configuration in the kvstore (ITSI, but they also do daily backups.

For Splunk itself

1. It sometimes uses the kvstore to track which summary indexing time range was done.

It's wise to back up your KV store regularly since it's vulnerable to data loss. If it gets corrupted, deleted, or runs into issues during an upgrade or restart, you could lose valuable data. Keeping backups helps you recover your data quickly if anything goes wrong.

https://community.splunk.com/t5/Knowledge-Management/Is-there-any-way-to-retrieve-kv-store-that-was-... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

livehybrid
Champion
‎02-18-2025 02:11 PM

Hi @vksplunk1 

By default your KV store files will be stored in $SPLUNK_HOME/var/lib/splunk/kvstore/mongo - so if you have a backup of this directory you may be able to get the data back based on the time it was backed up, however I would look at recovering this to a different / test server rather than your production instance as it isnt possible to pick and choose which files to restore. 

Therefore you might need to recover the whole backup and then take a backup from the recovered data before restoring. Do you have other lookups also? This will affect those if you overwrite from an old backup.

You could try this approach, and depending on the size of your lost KV Store lookup. you could export it from the restored backup, then load it back into the KV Store on your production instance using a mixture of |inputlookup <restoredData.csv> | outputlookup <OriginalLookupName>

Do you think this might work for your situation?

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

vksplunk1
Explorer
‎02-25-2025 06:57 AM

Thank you for your suggestions. We do not have a test server to restore before restoring it on to prod server. 

 

On a separate note, is it possible to schedule a report or a script to backup kvstore on a daily basis to avoid restoring from  backup of /opt/splunk/var/lib/splunk/backup  directory

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top