Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Backup

lohit
Path Finder
‎10-30-2013 01:22 AM

I am facing problems with restoring splunk.

I require the searches, indexed data and users created on one installation of splunk to reflect on a fresh installation of splunk.

The steps I followed are:

  1. For restoring data, I copied “defaultdb” folder from Splunk/var/lib/splunk/defaultdb ; “search” folder from Splunk/etc/apps ; “users” folder from Splunk/etc after stopping the splunk services.

  2. Then, after stopping the splunk services on the fresh installation, I replaced the existing “users” and “search” folders with the ones I had copied. But, the saved searches and users did not reflect in Splunk.

  3. Also, when I replaced defaultdb (after stopping the splunk services) in the fresh installation, splunk did not start and it says that splunkd started and then stopped.

Let me know where am I making a mistake and how to correct it. I need it urgently.

Tags (3)
0 Karma
Reply

mcronkrite
Splunk Employee
Splunk Employee
‎06-29-2014 03:14 PM

I think you should be able to exclude some directories. e.g.

$SPLUNK_HOME$/var/run/splunk/dispatch/ 
$SPLUNK_HOME$/var/run/searchpeers/
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-30-2013 04:20 AM

When I transfer copies of Splunk, I take entire backups of etc and var. Make sure they are the SAME version! I'm assuming a *nix system based on the direction of your slashes in the question.

So on your command line on the old system.

cd $SPLUNK_HOME
tar cvfz splunk_backup.tgz etc var

On the new system:

cd $SPLUNK_HOME
tar xvfz splunk_backup.tgz

And chose the option to overwrite everything if requested.

Reply

SamHTexas
Builder
‎04-17-2021 02:21 PM

Would you please show. How I can perform incremental Splunk Ent backups on Daily or weekly basis for small recoveries? Is there an app or process to do regular backups for a distributed environments? Thank u

Tags (1)
0 Karma
Reply

lohit
Path Finder
‎10-30-2013 11:27 PM

Thank you lukejadamec,
Changing the duplicate ids worked.I suppose this was the issue why splunk was giving error.

0 Karma
Reply

lukejadamec
Super Champion
‎10-30-2013 06:34 AM

You can copy the contents of defaultdb/db and defaultdb/colddb to the same location on the new install.
You need to make sure that there are no duplicate unique IDs or you will get an error when you restart Splunk. The unique ID is the last set of numbers of the db folders after the last underscore, and you can change them by hand to whatever you want, just make sure no two are the same.

0 Karma
Reply

lohit
Path Finder
‎10-30-2013 06:05 AM

Hi alacercogitatus,

Thanks for your reply.

I have splunk on windows and the Splunk was re-installed on the same machine. So I only have these 3 folders from the previous splunk instance now: defaultdb, search and users.

Please suggest how to get the indexed data into new installation.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...