Hi PickleRick,

This is a lab/dev environment so we don't really have an RTO/RPO.  It would be great if you could list some options.  Thanks!

There is a more detailed description in the Admin Guide but in case of a lab environment (typically an all-in-one setup), the easiest things are to:

1) Copy the $SPLUNK_HOME/etc if you want to have just the configuration or

2) Stop the splunk daemon and copy the whole $SPLUNK_HOME if you want a full backup of all data.

Remember to restore to the same version!

Thanks 13tsavage

This is just a standalone SH. So, I believe I should be OK with archiving $SPLUNK_HOME/etc

Would this be a good command to be used to restore:

tar xzvf /opt/$HOSTNAME.tgz -C /opt/splunk/etc/

Be careful with the command because if you have an archived folder of '/opt/splunk/etc/' in $HOSTNAME.tgz, you are telling your instance to place this directory in /opt/splunk/etc/. What this could do is place your 'etc' folder in the last directory you specify after -C, so the backup's 'etc/' folder would be placed in /opt/splunk/etc/etc <- here.

the following command should suffice:
tar -xzvf /opt/HOSTNAME.tgz -C /opt/splunk/

It is my recommendation to always run scenarios like this in your own test environment before trying to perform backup and and restores of production tools.

Thanks 13tsavage.

I had to use this command to extract to /opt/splunk/etc:

tar -xzvf /opt/$HOSTNAME.tgz -C /