Back up and restore KV store
Back up the KV store and restore it from backup. Taking regular backups from a healthy environment enables you to restore from a backup in the event of a disaster, or if you add a search head to a cluster. You can also take a backup before migrating to a different machine. See Migrate a Splunk Enterprise instance from one physical machine to another in the Installation Manual for more information.
Make sure to be familiar with the standard backup and restore tools and procedures used by your organization.
Back up the KV store
splunk backup kvstore command from the search head. On a search head cluster, back up from the node with the most recent data. This command creates an archive file in the
./splunk backup kvstore [-archiveName <archive>] [-collectionName <collection>] [-appName <app>]
|archiveName||Optional||Specify the name for the backup archive file.|
|collectionName||Optional||Specify a single target collection to back up, rather than the entire KV store.|
|appName||Optional||Specify a single target app to back up, rather than the entire KV store.|
Check the status of a backup in progress
To check the status of a backup that is in progress, use the
show kvstore-status command to show the
./splunk show kvstore-status
Restore the KV store data
Complete the following prerequisites before you restore the KV store data:
- Make sure the KV store collection
collections.confexists on the Splunk instance that the KV store will be restored to. If you create the collection
collections.confafter restoring the KV store data, then the KV store data will be lost.
- Ensure that your backup archive file is in the
- Check that you created the backup archive file from the same collection that you are restoring. You cannot restore a backup to a different collection.
Now you can use the following
restore kvstore command to restore the KV store. Determine if you want to restore the KV store data to the same search head cluster from which it was backed up, or restore it to a new member being added to a search head cluster. Both cases require the same command, but in different locations:
- To restore the KV store data to the same search head cluster from which it was backed up, use the following command on each member of the cluster.
- To restore the KV store data to a new member being added to the search head cluster, use the following command on that new member after you add it to the cluster.
./splunk restore kvstore [-archiveName <archive>] [-collectionName <collection>] [-appName <app>]
|archiveName||Required||Specify the name of the backup archive file.|
|collectionName||Optional||Specify a single target collection to restore, rather than the entire contents of the archive file.|
|appName||Optional||Specify a single target app to restore, rather than the entire contents of the archive file.|
Restore the KV store data to a new search head cluster
Use the following procedure to create a new search head cluster with new Splunk Enterprise instances.
- Back up the KV store data from a search head in the current search head cluster.
- On a search head that will be in the new search head cluster environment, create the KV store collection using the same collection name as the KV store data you are restoring.
- Initialize the search head cluster with
- Restore the KV store data to the new search head.
- Run the following command from the CLI: splunk clean kvstore --cluster
- Start the Splunk instance and bootstrap with the new search head.
- After the KV store has been restored onto the new search head, add the other new search head cluster members.
- After complete, change the
replication_factoron each search head to the desired replication factor number.
- Perform a rolling restart of your deployment.
Resync the KV store
KV store troubleshooting tools
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2