How to backup all data Splunk has indexed?

areeter · ‎02-07-2017

Hi everyone!

I would like to do a quick and dirty backup of all of my data Splunk has ever indexed. Am I fine to stop Splunk, then just take a copy of everything under $SPLUNK_HOME/var/lib/splunk ?

Thanks!

praveenbandi · ‎02-08-2017

have you changed any of default path in index.conf? if not the actual db path will be,

$SPLUNK_HOME/var/lib/splunk /*

So I would say simply back-up the folder after shutdown the splunk service(preferred) .

Steps would be,

run the above command suggested by @areeter something like this | rest /services/data/indexes | stats values(*expanded) as * by title
make sure the path are same $SPLUNK_HOME/var/lib/splunk/.
Stop the server ./splunk stop
backup the path, cp index_pah new_path

Hope this will helps you.

mpreddy · ‎02-07-2017

Use this:

http://blogs.splunk.com/2011/12/20/index-backup-strategy/

http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Backupindexeddata

areeter · ‎02-07-2017

Cheers for that.

In that second link it states: For smaller amounts of data, shut down Splunk and just make a copy of your database directories before performing the upgrade... Where is that DB directory? Under $SPLUNK_HOME/var/lib/splunk ?

davebrooking · ‎02-08-2017

The default location for indexes is $SPLUNK_HOME/var/lib/splunk, but when you create an index you have options to store the Home Path, Cold Path and Thawed Path elsewhere. Querying the index rest endpoint will give you a lot of information regarding your indexes, including their paths. Try the search command

| rest /services/data/indexes

and you should see what you need to backup.

Dave

How to backup all data Splunk has indexed?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio