Refine your search:

How to backup/restore Splunk db to new system

2
1

Seeking advice for how to best backup/restore splunk databases to newly built systems with minimal application downtime for 3 index servers. Current OS - RHEL, to be OS - Oracle Ent Linux. Current install path: /splunk1 /splunk2 /splunk3 on relative system. New install path: /opt/splunk. Currently have Veritas configured but not effectively implemented/utilized (part of reason to rebuild), new systems will not have clustering installed. Splunk version 4.0.8

asked 07 May '10, 17:03

Jaci's gravatar image

Jaci ♦
8722217
accept rate: 75%

edited 07 May '10, 20:24

2 Answers:
oldestnewestmost voted
5

Just to add detail to these steps & after talking to Zach who explained they are doing a hardware switchover. Looks like they may not have the option to run concurrent systems with duplicate data, Although it is the ideal scenario especially for that much data!

If you must do a hard/switchover migration follow these steps
1) ensure the indexes are all created on your new server so the db dir structure is in place.
2) Backup your warm / cold buckets, and copy / move to new data store location (IMPORTANT do NOT backup your hot buckets)
warm buckets
$SPLUNK_HOME/var/lib/splunk/< indexname >/db/db_NN_NN_NN dirs
cold buckets
$SPLUNK_HOME/var/lib/splunk/< indexname >/coldb/db_NN_NN_N dirs
3) perform a splunk roll to warm command to get your hot buckets, rolled to warm. I would recommend running it on the CLI so you know when it's complete. From the CLI:

For all indexes
./splunk search "| debug cmd=roll"

or individual indexes
./splunk search "| debug cmd=roll index= < indexname > "

4) Immediately stop your production splunk so no new data is coming in, Although you will lose some data from the time the roll to warm completes and new data coming in to your hot buckets.
5) There will be new warm buckets created, from the roll to warm command backup these new warm buckets, and copy / move to new data store location warm buckets
$SPLUNK_HOME/var/lib/splunk/< indexname >/db/db_NN_NN_NN dirs

6) start up splunk and search on your old data

link

answered 11 May '10, 23:24

Chris%20R.'s gravatar image

Chris R.
1.0k126
accept rate: 36%

edited 12 May '10, 16:55

3

There are a few questions you should first answer before undertaking this:

  1. Can you concurrently run Splunk in both environments?
  2. What are your storage limitations?
  3. How is data currently being backed up?

If you can run both Splunk environments concurrently, then doing a cutover of the inputs and setting up distributed search to the old system would be the ideal scenario. Assuming you test and stage on the new environments, the cutover should be pretty seamless.

If you are unable to run both environments concurrently and have storage limitations, then you will need to plan the methodology for copying over the individual buckets. You can very easily configure Splunk to use a new path for the indexes/dbs. The hard part is getting them onto the new system as 2-3TB may take a very long time to move.

One potential solution is to use an NFS mount for the data that is residing on the initial machine. This solution would depend on the reliability of the current disks and NFS.

link

answered 07 May '10, 20:15

Simeon's gravatar image

Simeon ♦
3.7k5627
accept rate: 26%

tried this on splunk4.2.2, and got the following error in CLI

ppang-mbp-2:bin paulpang$ ./splunk search "| debug cmd=roll index=main" FATAL: Error in 'DebugCommand': command=roll issued successfully to index=main, but debug command is deprecated, try the CLI command instead

(06 Oct '11, 02:05) ppang
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×31
×21

Asked: 07 May '10, 17:03

Seen: 3,432 times

Last updated: 06 Oct '11, 02:05

Related questions

Backup and restore of Splunk??

Splunk backup and restore procedure?

how to make a temporary backup/restore of Splunk on Windows server ?

When should I restore from backup?

Script to backup of Splunk

Can't access data after DB migration

windows scheduled backup

How to backup the GUI

Another hot to warmdb question / backup strategy

Copyright © 2005-2012 Splunk, Inc. All rights reserved.