Backing Up Splunk
Splunk stores our raw data and their indexes in
While Splunk is running some parts of the data can safely be backed up ("warm buckets") and some cannot ("hot buckets"). Setting up the right strategy requires understanding and managing Splunk's indexes and index policies, as explained in the documentation. I believe that another alternative is to shut Splunk down, back up the Splunk directory, and then restart Splunk. Note that this strategy will not work in every Splunk environment, but should in ours. We're monitoring a fixed number of files that are forwarded over TCP. The relevant stanzas in our custom inputs.conf include the statement followTail = 0, as in the example below:
[monitor://C:\Program Files\iAS\logs\ias_errors_log.txt] disabled = false followTail = 0 sourcetype = ias_error
When set to 0, what followTail should mean is that the Splunk forwarder keeps track of the last line it uploaded to the Splunk server. If the forwarder or server go down, the forwarder should be able to pick up where it left off when the system is back on-line.