Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Back up and restore KV store

Back up the KV store and restore it from backup. Taking regular backups from a healthy environment enables you to restore from a backup in the event of a disaster, or if you add a search head to a cluster. You can also take a backup before migrating to a different machine. See Migrate a Splunk Enterprise instance from one physical machine to another in the Installation Manual for more information.

Make sure to be familiar with the standard backup and restore tools and procedures used by your organization.

Back up the KV store

Use the splunk backup kvstore command from the search head. On a search head cluster, back up from the node with the most recent data. This command creates an archive file in the $SPLUNK_HOME/var/lib/splunk/kvstorebackup directory of the node from which you took the backup.

./splunk backup kvstore [-archiveName <archive>] [-collectionName <collection>]  [-appName <app>]
Option Required? Description
archiveName Optional Specify the name for the backup archive file without the file extension.
collectionName Optional Specify a single target collection to back up, rather than the entire KV store.
appName Optional Specify a single target app to back up, rather than the entire KV store.

Check the status of a backup in progress

To check the status of a backup that is in progress, use the show kvstore-status command to show the backupRestoreStatus field.

./splunk show kvstore-status

Restore the KV store data

Complete the following prerequisites before you restore the KV store data.

  1. Make sure the KV store collection collections.conf exists on the Splunk instance in the same application name that the KV store will be restored to. If you create the collection collections.conf after restoring the KV store data, then the KV store data will be lost.
  2. Ensure that your backup archive file is in the $SPLUNK_HOME/var/lib/splunk/kvstorebackup directory of the instance that you plan to restore the KV store data to.
  3. Check that you created the backup archive file from the same collection that you are restoring. You cannot restore a backup to a different collection.

Restoring KV store data overwrites any KV store data in your Splunk instance with the data from the backup.

Now you can use the following restore kvstore command to restore the KV store. To restore the KV store in a search head cluster environment, use the following command on any cluster member:

./splunk restore kvstore [-archiveName <archive>] [-collectionName <collection>]  [-appName <app>]
Option Required? Description
archiveName Required Specify the name of the backup archive file with the file extension included.
collectionName Optional Specify a single target collection to restore, rather than the entire contents of the archive file.
appName Optional Specify a single target app to restore, rather than the entire contents of the archive file.

Restore the KV store data to a new search head cluster

Use the following procedure to create a new search head cluster with new Splunk Enterprise instances.

Restoring KV store data overwrites any KV store data in your Splunk instance with the data from the backup.

  1. Back up the KV store data from the same search head in the current search head cluster from which you took the backup.
  2. On that search head that will be in the new search head cluster environment, create the KV store collection using the same collection name as the KV store data you are restoring.
  3. Initialize the search head cluster with replication_factor=1
  4. Restore the KV store data to the new search head.
  5. Run the following command from the CLI:
    splunk clean kvstore --cluster
  6. Start the Splunk instance and bootstrap with the new search head.
  7. After the KV store has been restored onto the new search head, add the other new search head cluster members.
  8. After complete, change the replication_factor on each search head to the desired replication factor number.
  9. Perform a rolling restart of your deployment.
Last modified on 02 June, 2021
Resync the KV store   KV store troubleshooting tools

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters