Overview of backing up ITE Work KV store data

Regularly backing up the KV store lets you restore your data from a backup in the event of a disaster or if you add a search head to a cluster. You can perform both full backups and partial backups of your data.

When you run a backup job, ITE Work saves your data to a set of JSON files compressed into a single ZIP file located in $SPLUNK_HOME/var/itsi/backups on the search head. ITE Work detects and preserves the application version that it creates a backup from. When you restore from a backup, ITE Work detects the correct version of the backup and performs the required migration.

You can perform the following backup and restore operations within ITE Work:

• Create a full backup of ITE Work
• Create a partial backup of ITE Work
• Restore a full or partial backup of ITE Work

Splunk Cloud Platform customers must back up and restore their data from the ITE Work user interface.

The following table describes the functionality available in each backup and restore method:

In addition to any custom backup jobs you create, ITE Work also takes a default scheduled backup of your KV store data every day at 1:00 AM. For more information, see About default scheduled backups in ITE Work.

Difference between an ITE Work backup and a Splunk Enterprise backup

Splunk Enterprise offers an option to back up and restore the KV store. For more information, see Back up and restore KV store in the Splunk Enterprise Admin Manual. However, an ITE Work backup is specifically formatted to process the content in the ITSI (IT Service Intelligence) backup files. The Splunk Enterprise backup is not formatted like an ITE Work backup, so you cannot use it to back up your ITSI or ITE Work data.

ITE Work processes all backup content. ITE Work also triggers other activities, such as saved search generation and object dependency updates. Directly restoring Splunk Enterprise KV store data does not restore the ITE Work system completely. Instead, use the processes described in this topic to back up your ITSI or ITE Work data.

What gets backed up

The following table describes the types of data included and not included in an ITE Work backup.

To back up indexed data, use the same approach you use to back up other Splunk indexes. For more information, see Back up indexed data in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Back up and restore in a search head cluster environment

You can run backup and restore jobs from the Backup/Restore page in search head cluster environments. You can create a backup on any cluster member and then restore data from that backup on any cluster member, regardless of where you initiated the backup.

For example, suppose your search head cluster has three cluster members: sh-01, sh-02, and sh-03. If you create a backup on sh-01, you can restore that backup on sh-01, sh-02, or sh-03.

When you create a backup on any search head cluster member, the configuration data from all cluster members is backed up. Likewise, when you restore from a backup on any cluster member, configuration data is restored across all cluster members.

In a search head cluster environment, the scheduled backup runs only on the search head cluster captain. However, you can restore a scheduled backup from any cluster member. If you download the scheduled backup, make sure to download it from the captain as it contains the latest backup.