Splunk® IT Essentials Work

Administration Manual

Splunk IT Essentials Work version 4.9.0 isn't available for download.
This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Overview of backing up ITE Work KV store data

Regularly backing up the KV store lets you restore your data from a backup in the event of a disaster or if you add a search head to a cluster. You can perform both full backups and partial backups of your data.

When you run a backup job, ITE Work saves your data to a set of JSON files compressed into a single ZIP file located in $SPLUNK_HOME/var/itsi/backups on the search head. ITE Work detects and preserves the application version that it creates a backup from. When you restore from a backup, ITE Work detects the correct version of the backup and performs the required migration.

You can perform the following backup and restore operations within ITE Work:

Splunk Cloud Platform customers must back up and restore their data from the ITE Work user interface.

The following table describes the functionality available in each backup and restore method:

Method Backup/Restore UI Command line script Comments
Full backup X X  
Partial backup X X If you perform a partial backup using the command line script, the backup does not include dependent objects.
Partial restore X  
Merge changes during restore
X X Merges objects in the backup with existing KV store objects.
Clean restore
  X Replaces existing KV store objects with objects in the backup.

In addition to any custom backup jobs you create, ITE Work also takes a default scheduled backup of your KV store data every day at 1:00 AM. For more information, see About default scheduled backups in ITE Work.

Difference between an ITE Work backup and a Splunk Enterprise backup

Splunk Enterprise offers an option to back up and restore the KV store. For more information, see Back up and restore KV store in the Splunk Enterprise Admin Manual. However, an ITE Work backup is specifically formatted to process the content in the ITSI (IT Service Intelligence) backup files. The Splunk Enterprise backup is not formatted like an ITE Work backup, so you cannot use it to back up your ITSI or ITE Work data.

ITE Work processes all backup content. ITE Work also triggers other activities, such as saved search generation and object dependency updates. Directly restoring Splunk Enterprise KV store data does not restore the ITE Work system completely. Instead, use the processes described in this topic to back up your ITSI or ITE Work data.

What gets backed up

The following table describes the types of data included and not included in an ITE Work backup.

Data Included in backup? Example
KV store objects Yes Services, service templates, entities, KPIs, KPI base searches, teams, glass tables, service analyzers, deep dives
Indexed data No ITSI summary index, notable events

To back up indexed data, use the same approach you use to back up other Splunk indexes. For more information, see Back up indexed data in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Back up and restore in a search head cluster environment

You can run backup and restore jobs from the Backup/Restore page in search head cluster environments. You can create a backup on any cluster member and then restore data from that backup on any cluster member, regardless of where you initiated the backup.

For example, suppose your search head cluster has three cluster members: sh-01, sh-02, and sh-03. If you create a backup on sh-01, you can restore that backup on sh-01, sh-02, or sh-03.

When you create a backup on any search head cluster member, the configuration data from all cluster members is backed up. Likewise, when you restore from a backup on any cluster member, configuration data is restored across all cluster members.

In a search head cluster environment, the scheduled backup runs only on the search head cluster captain. However, you can restore a scheduled backup from any cluster member. If you download the scheduled backup, make sure to download it from the captain as it contains the latest backup.

Last modified on 19 December, 2023
User Roles in ITE Work   About default scheduled backups in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters