Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the correct method to backup/restore Splunk Enterprise?

SplunkNinja
Explorer
‎11-30-2022 10:59 AM

What is the correct method to backup/restore Splunk Enterprise?

I believe I can backup (Linux) using this command:

tar czvf /opt/$HOSTNAME.tgz /opt/splunk/etc/

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-02-2022 07:40 AM

The process of backup/restore depends on what you need - do you need to back up only configuration or the data as well. If you want to back up everything, what is your RTO and RPO...

0 Karma
Reply

SplunkNinja
Explorer
‎12-09-2022 01:02 PM

Hi PickleRick,

 

This is a lab/dev environment so we don't really have an RTO/RPO.  It would be great if you could list some options.  Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-17-2022 06:55 AM

There is a more detailed description in the Admin Guide but in case of a lab environment (typically an all-in-one setup), the easiest things are to:

1) Copy the $SPLUNK_HOME/etc if you want to have just the configuration or

2) Stop the splunk daemon and copy the whole $SPLUNK_HOME if you want a full backup of all data.

Remember to restore to the same version!

0 Karma
Reply

13tsavage
Communicator
‎11-30-2022 12:09 PM

This is previously answered here: https://community.splunk.com/t5/Splunk-Enterprise/Configuration-Backup/m-p/577865

All of the ESSENTIAL configurations are found in $SPLUNK_HOME/etc/. In this hypothetical scenario, you would want to ensure this folder is captured. It includes the following:

- Splunk Enteprise License $SPLUNK_HOME/etc/licenses
- Splunk user knowledge objects $SPLUNK_HOME/etc/apps/<app_name>/local/*

What is NOT included in this backup and restore of $SPLUNK_HOME/etc/ is the indexed data as that is stored in $SPLUNK_HOME/var/lib/splunk/* (may be $SPLUNK_DB/)

So if you are asking to backup and restore a single instance of Splunk? You would want to ensure you include $SPLUNK_DB ($SPLUNK_HOME/var/lib/splunk/*

Reply

SplunkNinja
Explorer
‎12-01-2022 01:04 PM

Thanks 13tsavage

This is just a standalone SH. So, I believe I should be OK with archiving $SPLUNK_HOME/etc

Would this be a good command to be used to restore:

tar xzvf /opt/$HOSTNAME.tgz -C /opt/splunk/etc/

Tags (1)
Reply

13tsavage
Communicator
‎12-02-2022 07:31 AM

Be careful with the command because if you have an archived folder of '/opt/splunk/etc/' in $HOSTNAME.tgz, you are telling your instance to place this directory in /opt/splunk/etc/. What this could do is place your 'etc' folder in the last directory you specify after -C, so the backup's 'etc/' folder would be placed in /opt/splunk/etc/etc <- here.

the following command should suffice:
tar -xzvf /opt/HOSTNAME.tgz -C /opt/splunk/

It is my recommendation to always run scenarios like this in your own test environment before trying to perform backup and and restores of production tools.

Reply

SplunkNinja
Explorer
‎12-09-2022 12:59 PM

Thanks 13tsavage.

I had to use this command to extract to /opt/splunk/etc:

tar -xzvf /opt/$HOSTNAME.tgz -C /

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2022 11:56 AM

It depends on what data you want to preserve, but that command should cover most scenarios.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...