Restore the KV store

1. On an SHC node, check the $SPLUNK_HOME/var/lib/splunk/kvstorebackup directory to make sure that the
kvdump_example.tar.gz backup file that you want to use to restore is there. If it is not in that directory, manually
copy your tar.gz file to that location. Note that the KV store backup file is not automatically replicated across each
SHC member.
2. Ensure that Splunk Enterprise Security is installed. The collections.conf file is necessary to complete the
restore.
3. Run the following command to restore the KV store:
splunk restore kvstore -archiveName kvdump_example.tar.gz
4. Restore the snapshot bundle by extracting the backup tar file from the $SPLUNK_HOME/var/run/splunk/snapshot
directory to the $SPLUNK_HOME/etc directory.
5. Repeat these steps on each SHC node that you want to restore. Restoring the KV store on one SHC node does
not cause the KV store to automatically replicate across each SHC member.

Entries that are present in both the current KV store and in the backup are updated and replaced by the entry in the
backup. Collections that are in the current KV store but not in the backup are preserved, but not necessarily the
documents inside of the collection.

Complete restoring the search head cluster environment

Finish restoring Splunk Enterprise Security from backup in an SHC environment.

1. In the $SPLUNK_HOME/etc/system/local/server.conf file, locate the shclustering stanza.

2. Update the field ID in this stanza with the GUID copied from the server.conf file during backup.
3. Run the following command to restart Splunk:
splunk restart

Restore incident review history from internal audit logs

In the event that the backup process was not established prior to a data loss event with the KVStore, some of the
information pertaining to incident review history can still be recovered using internal logs, as dictated by index _audit
retention settings.

earliest=-30d index=_audit sourcetype=incident_review | rex "@@\w+,(?<rule

_name>[^,]+),(?<status>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<comment>.*),(?<user>[^,]+),
(?<something>[^,]+)" | eval time=_time | table comment owner rule_id rule_name status time urgency user |
outputlookup append=t incident_review_lookup_REMOVE_FOR_SAFETY

Deploy add-ons to Splunk Enterprise Security

The Splunk Enterprise Security package includes a set of add-ons, and is compatible with others.

• The add-ons that include "SA-" or "DA-" in the name make up the Splunk Enterprise Security framework. You do
not need to take any additional action to deploy or configure these add-ons, because their installation and setup is
handled as part of the Splunk Enterprise Security installation process. Do not disable any add-ons that make up
the Splunk Enterprise Security framework.
• The rest of the add-ons include "TA-" in the name and are technology-specific and provide the CIM-compliant
knowledge necessary to incorporate that source data into Enterprise Security.

For more about how the different types of add-ons interact with Splunk Enterprise Security, see About the ES solution

22