Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

Back up and restore KV store

Back up the KV store and restore it from backup. Taking regular backups from a healthy environment enables you to restore from a backup in the event of a disaster, or if you add a search head to a cluster. Make sure to be familiar with the standard backup and restore tools and procedures used by your organization.

Back up the KV store

Use the backup kvstore command from the search head. If using a search head cluster, back up from the node with the most recent data. This command creates an archive file in the $SPLUNK_HOME/var/lib/splunk/kvstorebackup directory.

./splunk backup kvstore [-archiveName <archive>] [-collectionName <collection>]  [-appName <app>]
Option Required? Description
archiveName Optional Specify the name for the backup archive file.
collectionName Optional Specify a single target collection to back up, rather than the entire KV store.
appName Optional Specify a single target app to back up, rather than the entire KV store.

Check the status of a backup in progress

To check the status of a backup that is in progress, use the show kvstore-status command to show the backupRestoreStatus field.

./splunk show kvstore-status

Restore the KV store data

Prerequisites

  1. Make sure the KV store collection collections.conf exists on the Splunk instance that the KV store will be restored to. If you create the collection collections.conf after restoring the KV store data, then the KV store data will be lost.
  2. Ensure that your backup archive file is in the $SPLUNK_HOME/var/lib/splunk/kvstorebackup directory.
  3. Check that you created the backup archive file from the same collection that you are restoring. You cannot restore a backup to a different collection.

Use the restore kvstore command to restore the KV store. To restore the KV store data to the same search head cluster from which it was backed up, use the following command on each member of the cluster. To restore the KV store data to a new member being added to the search head cluster, use the following command to restore the KV store data after you add the member to the cluster.

./splunk restore kvstore [-archiveName <archive>] [-collectionName <collection>]  [-appName <app>]
Option Required? Description
archiveName Required Specify the name of the backup archive file.
collectionName Optional Specify a single target collection to restore, rather than the entire contents of the archive file.
appName Optional Specify a single target app to restore, rather than the entire contents of the archive file.

Restore the KV store data to a new search head cluster

Use the following procedure to create a new search head cluster with new Splunk Enterprise instances.

  1. Back up the KV store data from a search head in the current search head cluster.
  2. On a search head that will be in the new search head cluster environment, create the KV store collection using the same collection name as the KV store data you are restoring.
  3. Initialize the search head cluster with replication_factor=1
  4. Restore the KV store data to the new search head.
  5. Run the following command from the CLI:
    splunk clean kvstore --cluster
  6. Start the Splunk instance and bootstrap with the new search head.
  7. After the KV store has been restored onto the new search head, add the other new search head cluster members.
  8. After complete, change the replication_factor on each search head to the desired replication factor number.
  9. Perform a rolling restart of your deployment.
PREVIOUS
Resync the KV store
  NEXT
KV store troubleshooting tools

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters