Back up and restore KV store (2023)

Table of Contents
Check the KV store status Back up and restore the KV store with point in time consistency Back up the KV store Prepare to restore the KV store data Restore the KV store data to an existing deployment Back up and restore the KV store without guaranteed consistency Back up the KV store Prepare to restore the KV store data Restore the KV store data to an existing deployment Restore the KV store data to a new search head cluster Videos

Back up the KV store and restore it from backup. Taking regular backups from a healthy environment enables you to restore from a backup in the event of a disaster, or if you add a search head to a cluster. You can also take a backup before migrating to a different machine. See Migrate a Splunk Enterprise instance from one physical machine to another in the Installation Manual for more information.

Make sure to be familiar with the standard backup and restore tools and procedures used by your organization.

You can perform different tasks with the KV store, including checking the status, taking a backup, and restoring the KV store to an existing or a new search head or search head cluster. Use the following table to decide which methods to use.

TaskDescriptionLimitations
Check the KV store statusBefore taking a backup or restoring the KV store, you need to check that that KV store is ready. You can also check on backups and restores that are in progress.n/a
Backup and restore with point in time consistencyChoose this method to guarantee consistency in the backup and restore process. This method captures all changes during the backup process, and blocks all changes during the restore process.You must ensure that all searches, particularly real-time searches, are complete before restoring the KV store. You cannot backup specific apps or collection, only the entire KV store.
Backup and restore without guaranteed consistencyChoose this method to backup and restore specific apps or collections, or the entire KV store.This method doesn't guarantee consistency in backup and restore. Changes made during backup aren't always captured.

Check the KV store status

To check the status of the KV store, use the show kvstore-status command:

(Video) HashiCorp Vault Backup and Restore Raft Snapshots from Kubernetes to AWS S3

./splunk show kvstore-status

The backupRestoreStatus field and the status field indicate the statuses of the KV store. The backupRestoreStatus field indicates the readiness of the node to perform a backup. The status field indicates the status of the storage engine. Both must be in a ready state for you to take a backup.

See Also
KV store endpoint descriptions - Splunk DocumentationTroubleshoot performance issues due to large KV Store collections

In a deployment that uses a search head cluster, use the ./splunk show shcluster-status --verbose command at any time to see if any or all cluster members are in maintenance mode. The kvstore_maintenance_status field indicates the captain's status, and the kvstore_status field indicates the status for individual members.

Back up and restore the KV store with point in time consistency

Use the following steps to back up the KV store, prepare to restore the KV store data, and then restore the KV store data.

Back up the KV store

Complete the following steps to back up the KV store with point in time consistency.

(Video) Consul Data Backup | How to take key value backup from consul | Hashicorp Consul Tutorial

  1. In the CLI, run the splunk show kvstore-status command.
  2. Ensure that the backupRestoreStatus field and the status field are both in the ready state.
  3. If you are running any searches that use outputlookup with the default append=f parameter, end them or allow them to complete before taking a backup, or the backup fails.
  4. (Optional) Create a separate partition for your backup directory, so that the backup is preserved if the $SPLUNK_DB/kvstore directory fails.
  5. Use the splunk backup kvstore -pointInTime true command from any search head. This creates an archive file in the $SPLUNK_DB/kvstorebackup directory. You must use the -pointInTime true portion of the command to back up with consistency.

In a search head cluster deployment, only one backup operation can take place at a time. If you initiate a backup on more than one search head at the same time, only one backup succeeds.

To customize your backup, check the full list of arguments for the backup command: 

./splunk backup kvstore [-pointInTime <true|false>] [-cancel <true|false>] [-parallelCollections <num>] [-archiveName <archive>]
ArgumentDescription
-pointInTimeDefaults to false. To take a consistent backup, set it to true.
-cancelDefaults to false. Set the argument to true to cancel an in-progress backup.
-parallelCollectionsDefaults to 1. Raise the number to increase the number of collections to back up in parallel.
-archiveNameDefaults to kvdump_<epoch>.tar.gz. Set to change the name of the backup file.

Prepare to restore the KV store data

Next, complete the following steps to prepare to restore the KV store data:

  1. Check to see if a backup file was taken with consistency by using the ./splunk show kvstore -archiveName <archive file> command. You can only restore the KV store with consistency with a backup file that was taken with consistency. Backups taken with consistency used the -pointInTime true argument in the backup command.
  2. Make sure the KV store collection collections.conf file exists on the Splunk Enterprise instance in the same application name that the KV store is going to be restored to.

    If you create the collection collections.conf after restoring the KV store data, the KV store data will be lost.

    (Video) Splunk Lookups : Lookups fundamentals & detail discussion on KV Store Lookups

  3. Ensure that your backup archive file is in the $SPLUNK_DB/kvstorebackup directory. If your deployment uses a search head cluster, make sure that the archive file is in that directory on the captain node.
  4. Check that you created the backup archive file from the same collection that you are restoring. You cannot restore a backup to a different collection.

Restore the KV store data to an existing deployment

Now complete the following steps to restore the KV store data.

Restoring KV store data overwrites any KV store data in your Splunk Enterprise instance with the data from the backup.

  1. Ensure all searches are complete, especially real-time searches.
  2. (Optional) To ensure that no searches that use the KV store are started by the scheduler, temporarily disable the scheduler.
  3. If your deployment uses a search head cluster, switch to static captain mode.
  4. Use the splunk enable kvstore-maintenance-mode command to enable maintenance mode. Once you enable maintenance mode, you cannot make any changes to the KV store, and searches that attempt to modify the KV store contents fail. Maintenance mode ensures that the restore completes with consistency.
  5. From the search head cluster captain, restore the KV store data with the splunk restore kvstore -pointInTime true -archiveName <archive> command. Even in a clustered deployment, only one restore operation can take place at a time.
  6. Verify that the restore process is complete with the splunk show kvstore-status command.
  7. Disable maintenance mode with the splunk disable kvstore-maintenance-mode command.
  8. If you disabled the scheduler, enable it now.
  9. If your deployment uses a search head cluster, switch back to dynamic captain mode.

To customize your restore, check the full list of arguments for the restore command:

./splunk restore kvstore [-pointInTime <true|false>] -archiveName <archive> [-parallelCollection <num>] [-insertionsWorkersPerCollection <num>] [-cancel]
ArgumentDescription
-pointInTimeDefaults to false. To restore from a backup taken with consistency, set the argument to true.
-cancelDefaults to false. Set the argument to true to cancel an in-progress restore.
-parallelCollectionsDefaults to 1. Raise the number to increase the number of collections to restore in parallel, which speeds up the store.
-archiveNameRequired. Specify the name of the backup file to use.
-insertionsWorkersPerCollectionDefaults to 1. Raise the number to increase the number of insertion workers per collection, which speeds up the restore.

Back up and restore the KV store without guaranteed consistency

Use the following steps to back up the KV store, prepare to restore the KV store data, and then restore the KV store data, either to an existing deployment or to a new one.

(Video) USENIX ATC '21 - KVIMR: Key-Value Store Aware Data Management Middleware for Interlaced Magnetic...

Back up the KV store

Complete the following steps to back up the KV store:

  1. In the CLI, run the splunk show kvstore-status command.
  2. Ensure that the backupRestoreStatus field and the status field are both in the ready state before taking a backup.
  3. (Optional) Create a separate partition for your backup directory, so that the backup is preserved if the $SPLUNK_DB/kvstore directory fails.
  4. To create archive file in the $SPLUNK_DB/kvstorebackup directory, run the splunk backup kvstore command according to the following conditions:
    • If you're backing up a single search head deployment, run the command from the search head.
    • If you're backing up a search head cluster, run the command from the node with the most recent data.
  5. (Optional) Add the following arguments to specify the name of the backup archive file, or define specific collections or apps to back up instead of the entire KV store: 
    ./splunk backup kvstore [-archiveName <archive>] [-collectionName <collection>] [-appName <app>]

Prepare to restore the KV store data

Complete the following steps to prepare to restore the KV store data.

  1. Make sure the KV store collection collections.conf file exists on the Splunk Enterprise instance in the same application name that the KV store is going to be restored to.

    If you create the collection collections.conf after restoring the KV store data, the KV store data will be lost.

  2. Ensure that your backup archive file is in the $SPLUNK_DB/kvstorebackup directory. In a search head cluster deployment, ensure the file is in this directory on the node from which you are restoring. You only need to restore from one node. The restore replicates across all of the other nodes automatically.
  3. Check that you created the backup archive file from the same collection that you are restoring. You cannot restore a backup to a different collection.

Restore the KV store data to an existing deployment

Complete the following steps to restore the KV store data to an existing search head cluster:

(Video) kvkit for Splunk KV Store Management

Restoring KV store data overwrites any KV store data in your Splunk Enterprise instance with the data from the backup.

  1. Restore the KV store data with the splunk restore kvstore command.
  2. (Optional) Add the following arguments to specify the name of the backup archive file, or specific collections or apps to restore instead of the entire KV store: 
    ./splunk restore kvstore [-archiveName <archive>] [-collectionName <collection>] [-appName <app>]
  3. Verify that the restore process is complete by running the splunk show kvstore-status command.

Restore the KV store data to a new search head cluster

Complete the following steps to create a new search head cluster with new Splunk Enterprise instances. This procedure only works if you took the backup from a search head cluster deployment without using the -pointInTime true argument.

  1. Back up the KV store data from the same search head in the current search head cluster from which you took the backup.
  2. On that search head that will be in the new search head cluster environment, create the KV store collection using the same collection name as the KV store data you are restoring.
  3. Initialize the search head cluster with replication_factor=1
  4. Restore the KV store data to the new search head by using the splunk restore kvstore command.
  5. Run the following command from the CLI: splunk clean kvstore --cluster
  6. Start the Splunk instance and bootstrap with the new search head.
  7. After the KV store has been restored onto the new search head, add the other new search head cluster members.
  8. After complete, change the replication_factor on each search head to the desired replication factor number.
  9. Perform a rolling restart of your deployment.

Videos

1. Getting Started with Consul: Key-Value Data
(HashiCorp)
2. Splunk knowledge objects | Splunk Lookups | Splunk Lookups Part 2
(Splunk Talks)
3. How To Backup and Restore Any RealMe Smartphone
(Ajoy Kumar)
4. (Full Guide) WhatsApp backup & restore with iCareFone for WhatsApp Transfer
(TenorshareOfficial)
5. How to Use the SD Card for Program Backup and Restore in CompactLogix
(McNaughton-McKay Electric Company)
6. Consul Part 3: Key/Value store and Web UI
(OpsForce)
Top Articles
Latest Posts
Article information

Author: Delena Feil

Last Updated: 11/03/2023

Views: 5766

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Delena Feil

Birthday: 1998-08-29

Address: 747 Lubowitz Run, Sidmouth, HI 90646-5543

Phone: +99513241752844

Job: Design Supervisor

Hobby: Digital arts, Lacemaking, Air sports, Running, Scouting, Shooting, Puzzles

Introduction: My name is Delena Feil, I am a clean, splendid, calm, fancy, jolly, bright, faithful person who loves writing and wants to share my knowledge and understanding with you.