We have several Lookups defined and i would like to backup kvstore for specific Lookups (For instance i need to backup only 5 out of 200 lookup definition defined). Is there a way to do that? Splunk documentation suggests to take backup of entire mongoDB under $SPLUNK_DB/kvstore.
@jayakumar89 - Did the answer provided by dwaddle help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
Use | inputlookup <kvstore_collection> | eval _key = XXXsave_key | outputlookup collection_backup.csv in order to make a backup file for a collection. Be wary of complex data types and make sure you test restoring.
Write something that uses the REST API to hit the kvstore directly and pulls all the documents and writes them to a file. Then you also have to build and test a restorer.