Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Backup

lohit
Path Finder
‎10-30-2013 01:22 AM

I am facing problems with restoring splunk.

I require the searches, indexed data and users created on one installation of splunk to reflect on a fresh installation of splunk.

The steps I followed are:

  1. For restoring data, I copied “defaultdb” folder from Splunk/var/lib/splunk/defaultdb ; “search” folder from Splunk/etc/apps ; “users” folder from Splunk/etc after stopping the splunk services.

  2. Then, after stopping the splunk services on the fresh installation, I replaced the existing “users” and “search” folders with the ones I had copied. But, the saved searches and users did not reflect in Splunk.

  3. Also, when I replaced defaultdb (after stopping the splunk services) in the fresh installation, splunk did not start and it says that splunkd started and then stopped.

Let me know where am I making a mistake and how to correct it. I need it urgently.

Tags (3)
0 Karma
Reply

mcronkrite
Splunk Employee
Splunk Employee
‎06-29-2014 03:14 PM

I think you should be able to exclude some directories. e.g.

$SPLUNK_HOME$/var/run/splunk/dispatch/ 
$SPLUNK_HOME$/var/run/searchpeers/
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-30-2013 04:20 AM

When I transfer copies of Splunk, I take entire backups of etc and var. Make sure they are the SAME version! I'm assuming a *nix system based on the direction of your slashes in the question.

So on your command line on the old system.

cd $SPLUNK_HOME
tar cvfz splunk_backup.tgz etc var

On the new system:

cd $SPLUNK_HOME
tar xvfz splunk_backup.tgz

And chose the option to overwrite everything if requested.

Reply

SamHTexas
Builder
‎04-17-2021 02:21 PM

Would you please show. How I can perform incremental Splunk Ent backups on Daily or weekly basis for small recoveries? Is there an app or process to do regular backups for a distributed environments? Thank u

Tags (1)
0 Karma
Reply

lohit
Path Finder
‎10-30-2013 11:27 PM

Thank you lukejadamec,
Changing the duplicate ids worked.I suppose this was the issue why splunk was giving error.

0 Karma
Reply

lukejadamec
Super Champion
‎10-30-2013 06:34 AM

You can copy the contents of defaultdb/db and defaultdb/colddb to the same location on the new install.
You need to make sure that there are no duplicate unique IDs or you will get an error when you restart Splunk. The unique ID is the last set of numbers of the db folders after the last underscore, and you can change them by hand to whatever you want, just make sure no two are the same.

0 Karma
Reply

lohit
Path Finder
‎10-30-2013 06:05 AM

Hi alacercogitatus,

Thanks for your reply.

I have splunk on windows and the Splunk was re-installed on the same machine. So I only have these 3 folders from the previous splunk instance now: defaultdb, search and users.

Please suggest how to get the indexed data into new installation.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top