Last week, we released a new app on Splunkbase™, Gemini KV Store Tools, written by our Director of Professional Services, JR Murray.  It fills a gap for ES and ITSI customers who want a regular scheduled backup of KV Store through an easily accessible Splunk® interface. You can access the app onSplunkbase™ []. The following description was originally posted on Splunkbase™.

Gemini KV Store Tools for Splunk

Utilities for the Splunk App Key-Value Store

The Gemini app for Splunk KV Store includes the following features:

  • KV Store backup: Backup KV Store collections
  • KV Store restore: Restore KV Store collections from backup jobs
  • KV Store alert action: Similar to outputlookup, but can be toggled on/off by users that have permissions to edit search jobs without modifying the search.

KV Store Backup

This functionality is implemented through a generating search command. Simply run or schedule a search like the following:

| kvstorebackup app=”app_name” collection=”collection_name” path=”/data/backup/kvstore” global_scope=”false”

The backup process will write one or more .json or .json.gz files (one for each collection).


– (Required) app: – Set the app in which to look for the collection(s).

– (Required) path: – Set the directory path for the output files.

– (Optional) global_scope: [true|false] – Specify the whether or not to include all globally available collections. (Default: false)

– (Optional) collection: – Specify the collection to backup within the specified app. (Default: All)

– (Optional) compression: [true|false] – Specify whether or not to compress the backups. (Default: false)

Best Practice: In a Search Head Cluster (SHC) environment, map a shared network drive to all members so that the backed-up collections are available to all of them.

KV Store Restore

This functionality is implemented through a generating search command. Run a search such as:

| kvstorerestore filename=”/backup/kvstore/app_name#collection_name#20170130*”

The restore process will delete the KV Store collection and overwrite it with the contents of the backup.


– (Required) filename: – Specify the file to restore the data from.

Release Notes

Version 1.0.0

April 3, 2017

Initial Release