Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the correct method to backup/restore Splunk Enterprise?

SplunkNinja
Explorer
‎11-30-2022 10:59 AM

What is the correct method to backup/restore Splunk Enterprise?

I believe I can backup (Linux) using this command:

tar czvf /opt/$HOSTNAME.tgz /opt/splunk/etc/

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-02-2022 07:40 AM

The process of backup/restore depends on what you need - do you need to back up only configuration or the data as well. If you want to back up everything, what is your RTO and RPO...

0 Karma
Reply

SplunkNinja
Explorer
‎12-09-2022 01:02 PM

Hi PickleRick,

 

This is a lab/dev environment so we don't really have an RTO/RPO.  It would be great if you could list some options.  Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-17-2022 06:55 AM

There is a more detailed description in the Admin Guide but in case of a lab environment (typically an all-in-one setup), the easiest things are to:

1) Copy the $SPLUNK_HOME/etc if you want to have just the configuration or

2) Stop the splunk daemon and copy the whole $SPLUNK_HOME if you want a full backup of all data.

Remember to restore to the same version!

0 Karma
Reply

13tsavage
Communicator
‎11-30-2022 12:09 PM

This is previously answered here: https://community.splunk.com/t5/Splunk-Enterprise/Configuration-Backup/m-p/577865

All of the ESSENTIAL configurations are found in $SPLUNK_HOME/etc/. In this hypothetical scenario, you would want to ensure this folder is captured. It includes the following:

- Splunk Enteprise License $SPLUNK_HOME/etc/licenses
- Splunk user knowledge objects $SPLUNK_HOME/etc/apps/<app_name>/local/*

What is NOT included in this backup and restore of $SPLUNK_HOME/etc/ is the indexed data as that is stored in $SPLUNK_HOME/var/lib/splunk/* (may be $SPLUNK_DB/)

So if you are asking to backup and restore a single instance of Splunk? You would want to ensure you include $SPLUNK_DB ($SPLUNK_HOME/var/lib/splunk/*

Reply

SplunkNinja
Explorer
‎12-01-2022 01:04 PM

Thanks 13tsavage

This is just a standalone SH. So, I believe I should be OK with archiving $SPLUNK_HOME/etc

Would this be a good command to be used to restore:

tar xzvf /opt/$HOSTNAME.tgz -C /opt/splunk/etc/

Tags (1)
Reply

13tsavage
Communicator
‎12-02-2022 07:31 AM

Be careful with the command because if you have an archived folder of '/opt/splunk/etc/' in $HOSTNAME.tgz, you are telling your instance to place this directory in /opt/splunk/etc/. What this could do is place your 'etc' folder in the last directory you specify after -C, so the backup's 'etc/' folder would be placed in /opt/splunk/etc/etc <- here.

the following command should suffice:
tar -xzvf /opt/HOSTNAME.tgz -C /opt/splunk/

It is my recommendation to always run scenarios like this in your own test environment before trying to perform backup and and restores of production tools.

Reply

SplunkNinja
Explorer
‎12-09-2022 12:59 PM

Thanks 13tsavage.

I had to use this command to extract to /opt/splunk/etc:

tar -xzvf /opt/$HOSTNAME.tgz -C /

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2022 11:56 AM

It depends on what data you want to preserve, but that command should cover most scenarios.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...