Hi I need to do a 100% backup of the full SPLUNK d...

robertlynch2020 · ‎06-23-2016

Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.
We have a tool in the company that does this, however when i tired to test this SPLUNK started up the index were empty.
Then i read on the SPLUNK Web about Back-up Steps, however i was hoping for a way that i could take the full directory and not to run different steps etc...

At the moment the workaround is to STOP splunk do the back up and then start SPLUNK. However this is not great.

Is there anyway to do a HOT backup (from the file system) when SPLUNK is still up and copy something that will come back to life (If i miss 1 hours of data its not the end of the world for us)

Any help would be great 🙂

adonio · ‎05-24-2017

hope you found an answer already, just in case you did not and to answer the question here:
the challenge here is that hot buckets are open for writes and constantly change as data is written to.
you can specify your backup to ignore those. so you will copy / backup. check this link regarding buckets naming conventions:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...
if your indexers are not clustered, you will backup buckets that are not: hot_<N>_guid
to get the best latest backup, you can restart splunk before the backup, this will roll all hot buckets to warm and seal them so they cant be written to.
as you mentioned, if you miss 1 hour of data in the backup its not the end of the world
hope it helps

Hi I need to do a 100% backup of the full SPLUNK directory and all its contents.

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability