Documentation > Splunk > Admin Manual > System backups

Admin Manual

 


How Splunk Works
Getting Started
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Data Distribution
Granular Access Control
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

System backups

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

System backups

Backups in 3 Easy Steps

Step 1: Stop the server

Use the command ps aux | grep splunk or ps -ef | grep splunk to ensure that the Splunk Server processes have actually stopped before you proceed with backups.


If you have FIFO queues or network ports configured as data inputs to Splunk, it will miss events that come in while it is down. You may want to consider writing these events to a file during the backup period, then loading the file into Splunk when it comes back up.


Step 2: Backup $SPLUNK_HOME

/opt/splunk - or whatever directory you installed the Splunk Server in - contains your indexes, Saved & Live Splunks, user accounts, tags and custom source type names. That is, unless you moved your index directory, $SPLUNK_DB, somewhere else. By default $SPLUNK_DB is set to $SPLUNK_HOME/var/lib/splunk , so a backup of /opt/splunk will capture it.


You may also want to take a snapshot of your data sources, e.g. var/log, along with your Splunk Server. This will enable you to rebuild the index or revisit original sources for debugging.


Step 3: Start the server again

Your Splunk Server will continue indexing data where it left off. If you have a network port configured as a data input, though, you may miss some events while the server is down.


Before you Restore

If you restore a full /opt/splunk backup, check these two items before starting the server to bring it back to life.


License key (Splunk Professional)

Your backup may include an expired license key in $SPLUNK_HOME/etc/splunk.license . Install a current one or get a temporary evaluation key from splunk.com if you don't have one.


Active modules

If you don't want your restored Splunk Server to instantly begin adding new data to its index, move any active modules out of the way before starting the server. This is useful if you want to revisit an old index without having new events added to it. Below is an example of disabling the directory monitor and tailing processor. 


# mkdir $SPLUNK_HOME/disabled
# mv $SPLUNK_HOME/etc/modules/{directorymonitor,tailingprocessor} $SPLUNK_HOME/disabled/
# splunk start
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.0/Admin/SystemBackups"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!