snapshot<\/a><\/strong><\/code>. A snapshot can be taken for an entire running Elasticsearch cluster (including all its data streams and indices<\/em>), specific data streams<\/a> or specific Elasticsearch indices.<\/p>\n\n\n\nIn this tutorial, we will be using a single node Elasticsearch cluster.<\/p>\n\n\n\n
Register a snapshot repository<\/a><\/h3>\n\n\n\nBefore you can take snapshot of the Elasticsearch index\/cluster, you must first register a repository. There are different types of Elasticsearch repositories;<\/p>\n\n\n\n
\n- Shared file system repository<\/a><\/li>\n\n\n\n
- Read-only URL repository<\/a><\/li>\n\n\n\n
- Respository plugins (S3, GCP, HDFS, Azure)<\/a><\/li>\n<\/ul>\n\n\n\n
In this setup, we will use shared file system repository.<\/p>\n\n\n\n
Register Snapshot Repository<\/h4>\n\n\n\n
To register a file system repository, you need to define the file system location on all the master\/data nodes Elasticsearch configuration file. This is the path\/location in which you want to store your backup\/snapshot.<\/p>\n\n\n\n
In our setup, we have mounted our backup disk on \/mnt\/es_backup<\/strong><\/code>.<\/p>\n\n\n\ndf -hT -P \/mnt\/es_backup\/<\/code><\/pre>\n\n\n\nFilesystem Type Size Used Avail Use% Mounted on\n\/dev\/sdb1 ext4 3.9G 16M 3.7G 1% \/mnt\/es_backup<\/code><\/pre>\n\n\n\nTo define the location of the path to the backup location on Elasticsearch configuration file, use the option, path.repo<\/strong><\/code>.<\/p>\n\n\n\npath.repo: [\"\/mnt\/es_backup\"]<\/code><\/pre>\n\n\n\nYou can simply echo this line to the configuration file;<\/p>\n\n\n\n
echo 'path.repo: [\"\/mnt\/es_backup\"]' >> \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\nSet the ownership of the repository path to elasticsearch<\/strong><\/code> user.<\/p>\n\n\n\nchown -R elasticsearch: \/mnt\/es_backup\/<\/code><\/pre>\n\n\n\nIf you have a multinode cluster, set the same configuration on all master and data nodes.<\/p>\n\n\n\n
Once that is done, restart elasticsearch.<\/p>\n\n\n\n
systemctl restart elasticsearch<\/code><\/pre>\n\n\n\nOnce you have defined the backup\/snapshot location, you can now register it by running the command below. Remember in this setup, we are using a file system repository.<\/p>\n\n\n\n
\ncurl -X PUT \"192.168.57.20:9200\/_snapshot\/es_backup?pretty\" -H 'Content-Type: application\/json' -d'\n{\n \"type\": \"fs\",\n \"settings\": {\n \"location\": \"\/mnt\/es_backup\"\n }\n}\n'\n<\/code><\/pre>\n\n\n\nWhen you run the command, you should get the output;<\/p>\n\n\n\n
{\n \"acknowledged\" : true\n}<\/code><\/pre>\n\n\n\nGet Information about Snapshot Repository<\/h4>\n\n\n\n
To retrieve information about a registered repository, run the command below;<\/p>\n\n\n\n
curl -X GET \"192.168.57.20:9200\/_snapshot\/es_backup?pretty\"<\/code><\/pre>\n\n\n\nSample output;<\/p>\n\n\n\n
\n{\n \"es_backup\" : {\n \"type\" : \"fs\",\n \"settings\" : {\n \"location\" : \"\/mnt\/es_backup\"\n }\n }\n}\n<\/code><\/pre>\n\n\n\nTo view all repositories;<\/p>\n\n\n\n
curl -X GET \"192.168.57.20:9200\/_snapshot\/_all?pretty\"<\/code><\/pre>\n\n\n\nIf you want to delete a snapshot repository;<\/p>\n\n\n\n
curl -X DELETE \"192.168.57.20:9200\/_snapshot\/es_backup\/?pretty\"<\/code><\/pre>\n\n\n\nCreate Elasticsearch Snapshot\/Backup<\/a><\/h3>\n\n\n\nCreate Snapshot of Entire Elasticsearch Cluster<\/h4>\n\n\n\n
Once you have registered a snapshot repository, you can now create a snapshot as shown below. “A repository can contain multiple snapshots of the same cluster. Snapshots are identified by unique names within the cluster”.<\/em><\/p>\n\n\n\nTake for example, to create snapshot called es_backup_202104192200<\/strong><\/code>, you would run such a command;<\/p>\n\n\n\ncurl -X PUT \"192.168.57.20:9200\/_snapshot\/es_backup\/es_backup_202104192200?pretty\"<\/code><\/pre>\n\n\n\n{\n \"accepted\" : true\n}<\/code><\/pre>\n\n\n\nBy default, a snapshot backs up all data streams and open indices in the cluster.<\/em><\/p>\n\n\n\nYou can also use the wait_for_completion=true<\/strong><\/code> parameter to specify whether or not the request should return immediately after snapshot initialization (default) or wait for snapshot completion<\/em> like;<\/p>\n\n\n\ncurl -X PUT \"192.168.57.20:9200\/_snapshot\/es_backup\/es_backup_202104192200?wait_for_completion=true\"<\/code><\/pre>\n\n\n\nSee sample contents of the backup\/snapshot directory after the command completes running;<\/p>\n\n\n\n
ls -1 \/mnt\/es_backup\/<\/code><\/pre>\n\n\n\nindex-0\nindex.latest\nindices\nmeta-33qzhT82QTmvH4GkWn-vhw.dat\nsnap-33qzhT82QTmvH4GkWn-vhw.dat<\/code><\/pre>\n\n\n\nCreate Snapshot of Specific Elasticsearch Index<\/h4>\n\n\n\n
In my current, I have just a few indices for demo only;<\/p>\n\n\n\n
curl 192.168.57.20:9200\/_cat\/indices?pretty<\/code><\/pre>\n\n\n\nyellow open filebeat-7.10.1-2021.04.16-000001 XWQ7QQ_9Tpar_rPE5dn0Sw 1 1 24 0 146kb 146kb\nyellow open filebeat-7.12.0-2021.04.19-000001 0sQCK1OTRWiosULRHKQMpw 1 1 66423 0 15.5mb 15.5mb\n...<\/code><\/pre>\n\n\n\nSo let’s say i want to backup a specific index, filebeat-7.12.0-2021.04.19-000001<\/strong><\/code>;<\/p>\n\n\n\n\ncurl -X PUT \"192.168.57.20:9200\/_snapshot\/es_backup\/filebeat_202104192200?pretty\" -H 'Content-Type: application\/json' -d'\n{\n \"indices\": \"filebeat-7.12.0-2021.04.19-000001\",\n \"ignore_unavailable\": true,\n \"include_global_state\": false\n}\n'\n<\/code><\/pre>\n\n\n\nWhile taking a snapshot, you can include other options such as;<\/p>\n\n\n\n
\nignore_unavailable<\/strong><\/code>: takes the option true<\/code> or false<\/code>.\n\n- When set to true, it causes the indices\/data streams that do not exist to be ignored while taking snapshot.<\/li>\n\n\n\n
- if not defined, snapshot will fail if a data stream or index is missing while taking snapshot.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
include_global_state<\/code><\/strong>: can be set to true<\/code><\/strong> to false<\/code><\/strong>.\n\n- if set to
true<\/strong><\/code>, it causes the snapshot to save the current cluster state as part of the snapshot.<\/li>\n\n\n\n- if set to
false<\/strong><\/code>, it prevents the cluster global state from being stored as part of the snapshot.<\/li>\n<\/ul>\n<\/li>\n\n\n\npartial<\/code><\/strong>:\n\n- if set to false (default), the snapshot will fail if one or more indices in the snapshot do not have all primary shards available.<\/li>\n\n\n\n
- If set to true, snapshot will take place even if one or more indices in the snapshot do not have all primary shards available.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
expand_wildcards<\/code><\/strong>:\n\n- used to control whether
hidden<\/code><\/strong> and closed<\/strong><\/code> indices will be included in the snapshot, and defaults to all<\/strong><\/code>.<\/li>\n<\/ul>\n<\/li>\n\n\n\nmetadata<\/code><\/strong>:\n\n- add information such as who took the snapshot, why it was taken, or any other data that might be useful<\/em> to the snapshot.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
See example below;<\/p>\n\n\n\n
\ncurl -X PUT \"192.168.57.20:9200\/_snapshot\/es_backup\/filebeat_202104192200?pretty\" -H 'Content-Type: application\/json' -d'\n{\n \"indices\": \"filebeat-7.12.0-2021.04.19-000001\",\n \"ignore_unavailable\": true,\n \"include_global_state\": false,\n \"metadata\": {\n \"taken_by\": \"kifarunix\",\n \"taken_because\": \"test backup\"\n }\n}\n'\n<\/code><\/pre>\n\n\n\nView Snapshot Information<\/h4>\n\n\n\n
To view information about created snapshots within a specific repository, run the example commands below.<\/p>\n\n\n\n
For example, to view information about es_backup_202104192200<\/strong><\/code> snapshot;<\/p>\n\n\n\ncurl -X GET \"192.168.57.20:9200\/_snapshot\/es_backup\/es_backup_202104192200?pretty\"<\/code><\/pre>\n\n\n\n\n{\n \"snapshots\" : [\n {\n \"snapshot\" : \"es_backup_202104192200\",\n \"uuid\" : \"33qzhT82QTmvH4GkWn-vhw\",\n \"version_id\" : 7100099,\n \"version\" : \"7.10.0\",\n \"indices\" : [\n \".kibana_task_manager_1\",\n \"filebeat-7.12.0-2021.04.19-000001\",\n \"filebeat-7.10.1-2021.04.16-000001\",\n \".kibana-event-log-7.10.0-000001\",\n \".async-search\",\n \".apm-agent-configuration\",\n \"ilm-history-3-000001\",\n \".kibana_1\",\n \".apm-custom-link\"\n ],\n \"data_streams\" : [ ],\n \"include_global_state\" : true,\n \"state\" : \"SUCCESS\",\n \"start_time\" : \"2021-04-19T19:57:08.912Z\",\n \"start_time_in_millis\" : 1618862228912,\n \"end_time\" : \"2021-04-19T19:57:56.691Z\",\n \"end_time_in_millis\" : 1618862276691,\n \"duration_in_millis\" : 47779,\n \"failures\" : [ ],\n \"shards\" : {\n \"total\" : 9,\n \"failed\" : 0,\n \"successful\" : 9\n }\n }\n ]\n}\n<\/code><\/pre>\n\n\n\nYou can see indices and data streams in the backup snapshot.<\/p>\n\n\n\n
To view all snapshots within a repository;<\/p>\n\n\n\n
curl -X GET \"192.168.57.20:9200\/_snapshot\/es_backup\/_all?pretty\"<\/code><\/pre>\n\n\n\nRestore Elasticsearch Snapshot\/backup<\/a><\/h3>\n\n\n\nNow, let say you accidentally deleted an index, which you already had backup for. Then it is easy to restore the Elasticsearch snapshot.<\/p>\n\n\n\n
According to Elasticsearch snapshot restore<\/a>;<\/p>\n\n\n\n\n- You cannot restore snapshots from later Elasticsearch versions into a cluster running an earlier Elasticsearch version. For example, you cannot restore a snapshot taken in 7.6.0 to a cluster running 7.5.0.<\/em><\/li>\n\n\n\n
- You cannot restore indices into a cluster running a version of Elasticsearch that is more than one major version newer than the version of Elasticsearch used to snapshot the indices. For example, you cannot restore indices from a snapshot taken in 5.0 to a cluster running 7.0<\/em>.<\/li>\n<\/ul>\n\n\n\n
The following table summarizes the snapshot compatibility between cluster versions;<\/p>\n\n\n\n
\n\n<\/td> Cluster version<\/strong><\/td><\/td> <\/td> <\/td> <\/td><\/tr> Snapshot version<\/strong><\/td>2.x<\/td> 5.x<\/td> 6.x<\/td> 7.x<\/td> 8.x<\/td><\/tr> 1.x<\/strong> \u2192<\/td>![\"Yes\"](\"https:\/\/doc-icons.s3.us-east-2.amazonaws.com\/icon-yes.png\" "\\"\\"")
<\/td>![\"No\"](\"https:\/\/doc-icons.s3.us-east-2.amazonaws.com\/icon-no.png\" "\\"\\"")
<\/td><\/td> <\/td> <\/td><\/tr> 2.x<\/strong> \u2192<\/td><\/td> <\/td> <\/td> <\/td> <\/td><\/tr> 5.x<\/strong> \u2192<\/td><\/td> <\/td> <\/td> <\/td> <\/td><\/tr> 6.x<\/strong> \u2192<\/td><\/td> <\/td> <\/td> <\/td> <\/td><\/tr> 7.x<\/strong> \u2192<\/td><\/td> <\/td> <\/td> <\/td> <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n<\/div>\n<\/div>\n\n\n\n
In above, we learnt how to take a snapshot of the entire cluster as well as for an individual Elasticsearch index.<\/p>\n\n\n\n
So, for demo purposes, let us delete the indices on our current Elasticsearch;<\/p>\n\n\n\n
curl -X DELETE \"192.168.57.20:9200\/_all?pretty\"<\/code><\/pre>\n\n\n\n{\n \"acknowledged\" : true\n}<\/code><\/pre>\n\n\n\nIf you try to list available indices, you will find one of the Kibana indices having been created automatically;<\/p>\n\n\n\n
curl 192.168.57.20:9200\/_cat\/indices?pretty<\/code><\/pre>\n\n\n\nyellow open .kibana -CjWP5YlSdi5eqt1VpLXng 1 1 1 0 5kb 5kb<\/code><\/pre>\n\n\n\nNext, to try and restore our general\/entire cluster snapshot, es_backup_202104192200<\/code>, then you can run the command below;<\/p>\n\n\n\ncurl -X POST \"192.168.57.20:9200\/_snapshot\/es_backup\/es_backup_202104192200\/_restore?pretty\"<\/code><\/pre>\n\n\n\nIf some of the indices already exist and open, within the cluster, that matches some of the indices available in the snapshot, you can either close or delete the existing index or restore the index under a different name by providing a rename pattern and replacement name<\/strong>.<\/p>\n\n\n\nSample error;<\/p>\n\n\n\n
\n{\n \"error\" : {\n \"root_cause\" : [\n {\n \"type\" : \"snapshot_restore_exception\",\n \"reason\" : \"[es_backup:es_backup_202104192200\/33qzhT82QTmvH4GkWn-vhw] cannot restore index [ilm-history-3-000001] because an open index with same name already exists in the cluster. Either close or delete the existing index or restore the index under a different name by providing a rename pattern and replacement name\"\n }\n ],\n \"type\" : \"snapshot_restore_exception\",\n \"reason\" : \"[es_backup:es_backup_202104192200\/33qzhT82QTmvH4GkWn-vhw] cannot restore index [ilm-history-3-000001] because an open index with same name already exists in the cluster. Either close or delete the existing index or restore the index under a different name by providing a rename pattern and replacement name\"\n },\n \"status\" : 500\n}\n<\/code><\/pre>\n\n\n\nSo let us close the complaining index<\/p>\n\n\n\n
curl -X POST \"192.168.57.20:9200\/ilm-history-3-000001\/_close?pretty\"<\/code><\/pre>\n\n\n\nSample command output.<\/p>\n\n\n\n
{\n \"acknowledged\" : true,\n \"shards_acknowledged\" : true,\n \"indices\" : {\n \"ilm-history-3-000001\" : {\n \"closed\" : true\n }\n }\n}<\/code><\/pre>\n\n\n\nIf you get such an error;<\/p>\n\n\n\n
\n{\n \"error\" : {\n \"root_cause\" : [\n {\n \"type\" : \"illegal_state_exception\",\n \"reason\" : \"index, alias, and data stream names need to be unique, but the following duplicates were found [.kibana (alias of [.kibana_1\/vSrhd_CyTva5oI1ggwnCuQ]) conflicts with index]\"\n }\n ],\n \"type\" : \"illegal_state_exception\",\n \"reason\" : \"index, alias, and data stream names need to be unique, but the following duplicates were found [.kibana (alias of [.kibana_1\/vSrhd_CyTva5oI1ggwnCuQ]) conflicts with index]\"\n },\n \"status\" : 500\n}\n<\/code><\/pre>\n\n\n\nDelete the indices again;<\/p>\n\n\n\n
curl -X DELETE \"192.168.57.20:9200\/_all?pretty\"<\/code><\/pre>\n\n\n\nAnd immediately run the snapshot restore before .kibana index is auto created.<\/p>\n\n\n\n
Now when you run a snapshot restore;<\/p>\n\n\n\n
curl -X POST \"192.168.57.20:9200\/_snapshot\/es_backup\/es_backup_202104192200\/_restore?pretty\"<\/code><\/pre>\n\n\n\nYou should get;<\/p>\n\n\n\n
{\n \"accepted\" : true\n}<\/code><\/pre>\n\n\n\nListing the indices again should now be same as before;<\/p>\n\n\n\n
curl 192.168.57.20:9200\/_cat\/indices?pretty<\/code><\/pre>\n\n\n\n\nyellow open filebeat-7.10.1-2021.04.16-000001 QImIEVM9SOKvtDnO1WUyNw 1 1 24 0 146kb 146kb\nyellow open filebeat-7.12.0-2021.04.19-000001 -rYD-nUNR9m10x2W21uAAg 1 1 66423 0 15.5mb 15.5mb\ngreen open .apm-custom-link b6b_dTNPQHOLatvVyw6fUg 1 0 0 0 208b 208b\ngreen open .kibana_task_manager_1 f2Eg4u8yRvSEk47QU-wwbg 1 0 5 3 132.9kb 132.9kb\ngreen open .apm-agent-configuration kMWsZ9kBTW6xeYoe3J4sIA 1 0 0 0 208b 208b\ngreen open .kibana-event-log-7.10.0-000001 -ZTzLi9zTuOnjcsm2wOhAw 1 0 2 0 11kb 11kb\ngreen open .async-search la4iO9BFTd6qSUzrw7JKNw 1 0 2 2 924.5kb 924.5kb\ngreen open .kibana_1 gK9b55LTRCiuwm9sFRTuaQ 1 0 1558 7 10.7mb 10.7mb\n<\/code><\/pre>\n\n\n\nAnd that is how easy it is to backup and restore an Elasticsearch index data.<\/p>\n\n\n\n
To delete a snapshot;<\/p>\n\n\n\n
curl -X DELETE \"192.168.57.20:9200\/_snapshot\/es_backup\/es_backup_202104192200?pretty\"<\/code><\/pre>\n\n\n\nIn our next guide, you can also restore elasticsearch index data to a different elasticsearch cluster. Links is provided below;<\/p>\n\n\n\n
Restore Elasticsearch Data to another Cluster<\/a><\/p>\n\n\n\nReference<\/h3>\n\n\n\n
Elasticsearch Snapshot and Restore<\/a><\/p>\n\n\n\nOther Tutorials<\/h3>\n\n\n\n
Setup Kibana Elasticsearch and Fluentd on CentOS 8<\/a><\/p>\n\n\n\nSetup Multi-node Elasticsearch 7.x Cluster on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n