Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.

robertlynch2020
Motivator
‎06-23-2016 04:06 AM

Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.
We have a tool in the company that does this, however when i tired to test this SPLUNK started up the index were empty.
Then i read on the SPLUNK Web about Back-up Steps, however i was hoping for a way that i could take the full directory and not to run different steps etc...

At the moment the workaround is to STOP splunk do the back up and then start SPLUNK. However this is not great.

Is there anyway to do a HOT backup (from the file system) when SPLUNK is still up and copy something that will come back to life (If i miss 1 hours of data its not the end of the world for us)

Any help would be great 🙂

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎05-24-2017 06:05 AM

hope you found an answer already, just in case you did not and to answer the question here:
the challenge here is that hot buckets are open for writes and constantly change as data is written to.
you can specify your backup to ignore those. so you will copy / backup. check this link regarding buckets naming conventions:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...
if your indexers are not clustered, you will backup buckets that are not: hot_<N>_guid
to get the best latest backup, you can restart splunk before the backup, this will roll all hot buckets to warm and seal them so they cant be written to.
as you mentioned, if you miss 1 hour of data in the backup its not the end of the world
hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...