Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

Back up KV Store

This topic describes how to safely back up and restore your KV Store.

Back up the KV Store

Before performing these steps make sure to be familiar with the standard backup and restore tools and procedures used by your organization.

  1. To back up KV store data, first shut down the Splunk instance from which the KV Store will be backed up.
  2. Back up all files in the path that is specified in the dbPath parameter of the [kvstore] stanza in the server.conf file.
  3. On a single node, back up the kvstore folder found in your $SPLUNK_DB path. By default the path is /var/lib/splunk/kvstore.

If using a search head cluster, back up the KV Store data on any cluster member.

Restore the KV Store data

Note: In order to successfully restore KV Store data, the KV Store collection collections.conf must already exist on the Splunk instance the KV Store will be restored to. If you create the collection collections.conf after restoring the KV Store data, then the KV Store data will be lost.

To restore the KV Store data to the same search head cluster that it was backed up from, restore the kvstore folder on each cluster member. For example, in a three-member search head cluster:

  1. Back up the KV Store data from a member of the search head cluster.
  2. Stop each cluster member.
  3. Restore the backed-up KV Store data folder to each cluster member.
  4. Start each cluster member.

Restore the KV Store data to a new member being added to the search head cluster

Restore the KV Store data to the new member and add the new member to the cluster. For example, in a three-member search head cluster:

  1. Back up the KV Store data from a member of the search head cluster.
  2. On the search head that you want to add to the search head cluster:
    1. Add the member to the cluster. See "Add a cluster member" in the Distributed Search manual.
    2. Stop the member.
    3. Restore the KV Store data.
    4. Start the new member.

Restore the KV Store data from an old search head cluster to a new search head cluster

Note: This procedure assumes you are creating a new search head cluster with new Splunk Enterprise instances.

  1. Back up the KV Store data from a search head in the current (old) search head cluster.
  2. To restore the KV Store data onto a new search head cluster , the search head cluster must be initialized with one member and before bootstrapping the one member restore the KV Store data folder, then add the rest of the search heads to the search head cluster environment. This example uses a three-node old search head cluster environment and three-node new search head cluster environment:
  • Back up the data from a search head in the old search head cluster.
  • On a search head that will be in the new search head cluster environment.
  • Create the KV Store collection using the same collection name as the KV Store data you are restoring.
  • Initialize the search head cluster with replication_factor=1
  • Stop the Splunk instance and restore the KV Store data.
  • Clean the KV Store cluster. This removes cluster information from previous clusters:
    splunk clean kvstore --cluster
  • Start the Splunk instance and bootstrap with just this one search head.
  • Once the KV Store has been restored onto the search head that will be in the new search head cluster environment, to which you can now add the other new search head cluster members.
  • Once complete, go in and change the replication_factor on each search head to the desired replication factor number and perform a rolling restart.
PREVIOUS
Resync the KV store
  NEXT
KV store troubleshooting tools

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters