Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Configure warm standby in Splunk UBA

Configure a warm standby failover solution for Splunk UBA. When configured, the primary system synchronizes data with the standby system so that the standby system can be used in a read-only capacity. All platform services such as Zookeeper, Hadoop, Postgres, Impala, Redis, and containers are running on the standby system, but all Splunk UBA services are stopped.

See How Splunk UBA synchronizes the primary and standby systems for more information about synchronization between the primary and standby systems.

Set the roles of the primary and standby systems

Configuring warm standby in Splunk UBA requires that you clearly define the role of each system whenever there is a change.

  1. When a primary system (System A) becomes unavailable due to an unexpected outage or a planned upgrade, you can manually failover to the standby system (System B).
  2. In order for System B to act as the primary system, you must configure System B to be the primary system and System A to be the standby system. Splunk UBA can't change system roles automatically.
  3. Then, if you want System A to return as the primary system, you must first failover from System B to System A, then switch the roles of both systems so that System A is the primary system and System B is the standby system.

The following table shows how you must change the roles of both systems. In the example, System A is the system currently running Splunk UBA, and System B will be set up as the backup system.

Scenario Description
This screen image shows step 1 in the warm standby scenario: setting up a second Splunk UBA system to be the standby system. There is an arrow labeled "sync" from the primary system (System A) to the standby system (System B). Configure the standby Splunk UBA system (System B), so that all platform services are running and all Splunk UBA services are stopped. System A synchronizes data to System B in read-only mode.
  1. First, verify all requirements. See Requirements to set up warm Standby for Splunk UBA.
  2. Follow the instructions in Set up the standby Splunk UBA system to set up System B as the standby system.

System B should run in read-only mode. Do not start any Splunk UBA services in the standby system. If you do, the PostgreSQL logs can fill up and negatively affect performance. See Clean up the standby system if you accidentally started Splunk UBA services.

This screen image shows step 2 in the warm standby scenario: failing over from System A to System B when System A becomes unavailable. As needed, manually failover from the primary system to the standby system. See Failover to a standby Splunk UBA system.


After the failover, System A is unavailable and System B is running Splunk UBA as a standalone system. Replication between the systems is disabled when you perform the failover, and System A does not automatically become the standby System. If you want to bring System A back into the warm standby configuration, you must restore it as the standby system to System B.

This screen image shows step 3 in the warm standby scenario: bring System A back up and switch its role to be the standby system. If needed, recover the system that became unavailable (System A) and change its role to be the standby system. If you performed a failover as part of a planned upgrade or HA/DR test, power System A back up, then change its role to be the standby system. Both of the following tasks must be performed:
  1. Configure System B to be the primary system. Enable replication on System B to synchronize data to System A. System A runs in read-only mode, with all the platform services running and all Splunk UBA services stopped.
  2. Configure System A to be the standby system. See Set up the standby Splunk UBA system.
If you want to continue with System B as the primary system and System A as the standby system, you don't need to do anything else.


If you want to restore System A as the primary system and System B as the standby system, perform both tasks 4 and 5 below.

This screen image shows step 4 in the warm standby scenario: failing over from System B to System A. Manually failover from System B back to System A. See Failover to a standby Splunk UBA system. The failover operation disables replication between the systems.
This screen image shows step 5 in the warm standby scenario: switching the roles on both systems so that System A is returned to primary system, and System B becomes the standby. Change the roles of both systems to make System A the primary system again. Both of the following tasks must be performed:
  1. Configure System A to be the primary system. Enable replication on System A to synchronize data to System B.
  2. Configure System B to be the standby system. See Change the role of both systems to switch the primary and standby systems.
Last modified on 03 September, 2021
Disable automated incremental backups   Requirements to set up warm standby for Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters