Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the correct method to backup/restore Splunk Enterprise?

SplunkNinja
Path Finder
‎11-30-2022 10:59 AM

What is the correct method to backup/restore Splunk Enterprise?

I believe I can backup (Linux) using this command:

tar czvf /opt/$HOSTNAME.tgz /opt/splunk/etc/

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-02-2022 07:40 AM

The process of backup/restore depends on what you need - do you need to back up only configuration or the data as well. If you want to back up everything, what is your RTO and RPO...

0 Karma
Reply

SplunkNinja
Path Finder
‎12-09-2022 01:02 PM

Hi PickleRick,

 

This is a lab/dev environment so we don't really have an RTO/RPO.  It would be great if you could list some options.  Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-17-2022 06:55 AM

There is a more detailed description in the Admin Guide but in case of a lab environment (typically an all-in-one setup), the easiest things are to:

1) Copy the $SPLUNK_HOME/etc if you want to have just the configuration or

2) Stop the splunk daemon and copy the whole $SPLUNK_HOME if you want a full backup of all data.

Remember to restore to the same version!

0 Karma
Reply

13tsavage
Communicator
‎11-30-2022 12:09 PM

This is previously answered here: https://community.splunk.com/t5/Splunk-Enterprise/Configuration-Backup/m-p/577865

All of the ESSENTIAL configurations are found in $SPLUNK_HOME/etc/. In this hypothetical scenario, you would want to ensure this folder is captured. It includes the following:

- Splunk Enteprise License $SPLUNK_HOME/etc/licenses
- Splunk user knowledge objects $SPLUNK_HOME/etc/apps/<app_name>/local/*

What is NOT included in this backup and restore of $SPLUNK_HOME/etc/ is the indexed data as that is stored in $SPLUNK_HOME/var/lib/splunk/* (may be $SPLUNK_DB/)

So if you are asking to backup and restore a single instance of Splunk? You would want to ensure you include $SPLUNK_DB ($SPLUNK_HOME/var/lib/splunk/*

Reply

SplunkNinja
Path Finder
‎12-01-2022 01:04 PM

Thanks 13tsavage

This is just a standalone SH. So, I believe I should be OK with archiving $SPLUNK_HOME/etc

Would this be a good command to be used to restore:

tar xzvf /opt/$HOSTNAME.tgz -C /opt/splunk/etc/

Tags (1)
Reply

13tsavage
Communicator
‎12-02-2022 07:31 AM

Be careful with the command because if you have an archived folder of '/opt/splunk/etc/' in $HOSTNAME.tgz, you are telling your instance to place this directory in /opt/splunk/etc/. What this could do is place your 'etc' folder in the last directory you specify after -C, so the backup's 'etc/' folder would be placed in /opt/splunk/etc/etc <- here.

the following command should suffice:
tar -xzvf /opt/HOSTNAME.tgz -C /opt/splunk/

It is my recommendation to always run scenarios like this in your own test environment before trying to perform backup and and restores of production tools.

Reply

SplunkNinja
Path Finder
‎12-09-2022 12:59 PM

Thanks 13tsavage.

I had to use this command to extract to /opt/splunk/etc:

tar -xzvf /opt/$HOSTNAME.tgz -C /

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2022 11:56 AM

It depends on what data you want to preserve, but that command should cover most scenarios.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...