Back up KV store

This topic describes how to safely back up and restore your KV store.

Back up the KV store

Before performing these steps make sure to be familiar with the standard backup and restore tools and procedures used by your organization.

1. To back up KV store data, first shut down the Splunk instance from which the KV store will be backed up.
2. Back up all files in the path that is specified in the dbPath parameter of the [kvstore] stanza in the server.conf file.
3. On a single node, back up the kvstore folder found in your $SPLUNK_DB path. By default the path is /var/lib/splunk/kvstore.

If using a search head cluster, back up the KV store data on any cluster member.

Restore the KV store data

To successfully restore KV store data, the KV store collection collections.conf must already exist on the instance the KV store will be restored to.

If you create the collection collections.conf after restoring the KV store data, then the KV store data will be lost.

To restore the KV store data to the same search head cluster that it was backed up from, restore the kvstore folder on each cluster member. For example, in a three-member search head cluster:

1. Back up the KV store data from a member of the search head cluster.
2. Stop each cluster member.
3. Restore the backed-up KV store data folder to each cluster member.
4. Start each cluster member.

Restore the KV store data to a new member being added to the search head cluster

Restore the KV store data to the new member and add the new member to the cluster. For example, in a three-member search head cluster:

1. Back up the KV store data from a member of the search head cluster.
2. On the search head that you want to add to the search head cluster:
   1. Add the member to the cluster. See "Add a cluster member" in the Distributed Search manual.
   2. Stop the member.
   3. Restore the KV store data.
   4. Start the new member.

Restore the KV store data from an old search head cluster to a new search head cluster

This procedure assumes that you are creating a new search head cluster with new instances.

1. Back up the KV store data from a search head in the current (old) search head cluster.
2. To restore the KV store data onto a new search head cluster , the search head cluster must be initialized with one member and before bootstrapping the one member restore the KV store data folder, then add the rest of the search heads to the search head cluster environment. This example uses a three-node old search head cluster environment and three-node new search head cluster environment:

• Back up the data from a search head in the old search head cluster.
• On a search head that will be in the new search head cluster environment.
• Create the KV store collection using the same collection name as the KV store data you are restoring.
• Initialize the search head cluster with replication_factor=1
• Stop the instance and restore the KV store data.
• Clean the KV store cluster. This removes cluster information from previous clusters:
  
  splunk clean kvstore --cluster
• Start the instance and bootstrap with just this one search head.
• After the KV store has been restored onto the search head that will be in the new search head cluster environment, to which you can now add the other new search head cluster members.
• When complete, change the replication_factor on each search head to the desired replication factor number and perform a rolling restart.