Splunk - Backup and Restoring the KV Store
Hello again everyone
Recently I had an issue with an app that we had been using. Post-upgrade of the app caused some functionality to stop working. After a lot of debugging I still couldnt find a resolution, after talking to the developer it was decided that the best path forward was to remove it and reinstall it.
The problem was that this app, as many others do, stores its configutations and custom settings in the KV Store. By removing the app, the custom configurations we had for it in the KV Store would go away with it. By backing up the KV Store data for that app and restoring it upon reinstall, it would add back all of our custom configurations.
It was a really easy process here it is.
First backup the data from that app to a sepcific archive file (I did this on the SHC Captain). This puts the backup file in $SPLUNK_DB/kvstorebackup directory:
./splunk backup kvstore -archiveName <appname>_kvstore_backup.tar.gz -appName <appname>
After that I went ahead and removed the app and reinstalled it. This readds the collections.conf for the original app.
Then I ran (I did this on the SHC Captain as it replicates across the SHC): ./splunk restore kvstore -archiveName <appname>_kvstore_backup.tar.gz -appName <appname>
The I performed a rolling restart.
Post restart the app is fixed and all the custom settings and configurations are present and working.
Hope this helps someone, it was a pretty easy process to figure out.
Have a great day!