Splunk Search

How to backup KV Store for specific lookups?

Explorer

We have several Lookups defined and i would like to backup kvstore for specific Lookups (For instance i need to backup only 5 out of 200 lookup definition defined). Is there a way to do that? Splunk documentation suggests to take backup of entire mongoDB under $SPLUNK_DB/kvstore.

Explorer

We published an app this week that includes functionality to backup and restore your KV Store collections. Check it out:
https://splunkbase.splunk.com/app/3536/#/details

0 Karma

Splunk Employee
Splunk Employee

@jayakumar89 - Did the answer provided by dwaddle help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

SplunkTrust
SplunkTrust

Two approaches:

  1. Use | inputlookup <kvstore_collection> | eval _key = XXXsave_key | outputlookup collection_backup.csv in order to make a backup file for a collection. Be wary of complex data types and make sure you test restoring.
  2. Write something that uses the REST API to hit the kvstore directly and pulls all the documents and writes them to a file. Then you also have to build and test a restorer.
0 Karma