Splunk® IT Service Intelligence

Administration Manual

This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

Restore a full or partial backup of ITSI

Restoring a backup of IT Service Intelligence (ITSI) merges the JSON data contained in the backup ZIP file with your existing KV store data in the following ways:

  • If you added new objects since you created the backup, ITSI keeps these objects.
  • If an existing object matches an object in the backup file, the existing object is replaced.
  • All other existing objects are preserved.

If you restart Splunk software while a backup or restore job is in progress, the job resumes after the restart is complete. Queued jobs automatically time out if they are not completed within twelve hours. You can change the default timeout duration by updating the value of job_queue_timeout in the [backup_restore] stanza in a local version of itsi_settings.conf.

Version and deployment considerations

The restore modal displays a warning if a backup came from a deployment that's different from the current deployment. A different deployment means the backup came from another instance or search head cluster, depending on the deployment structure. Restoring from a different deployment might cause security issues, so consider rechecking the backup before proceeding.

ITSI supports backups taken from the the current version, and up to three versions earlier than the current version. Restoring a backup to an earlier version isn't supported.


    • You must create a backup before you can restore it. For instructions, see Create a full backup of ITSI and Create a partial backup of ITSI.
    • Make sure no service templates are syncing. Check the sync status of service templates by clicking Configuration > Service Templates from the ITSI main menu.
    • Make sure all technology add-ons (TAs), supporting add-ons (SAs), and domain add-ons (DAs) that exist on the old system are installed on the new system.
    • If you've made modifications to any add-ons on the old system, manually copy those add-ons over the new system before restoring.

Restore from a backup

You can restore from a default scheduled backup or a backup that you created.

  1. On the ITSI top menu bar, click Configuration > Backup/Restore and find the backup that you want to restore from.
  2. Click Edit > Restore Backup.
  3. If you're restoring a scheduled backup, select a saved backup from the list. If you're restoring a created backup, go to the next step.
  4. Click Start Restore. "Restore from" is prepended to the backup name in the jobs list. A message stating that the restore job successfully completed appears in the messages dropdown list in Splunk Web.
  5. If you restored a backup that contains configuration files, you must restart your Splunk Enterprise instance.

Restore from a backup ZIP file

You can download any backup ZIP file that is created when you run a backup job in the UI and then restore from that backup ZIP file using the Backup/Restore Jobs UI. The maximum file size supported for uploading a backup file is 500 MB.

Perform the following steps to download a backup ZIP file:

  1. On the ITSI top menu bar, click Configuration > Backup/Restore and find the backup file that you want to download.
  2. Click Edit > Download Backup. If you are restoring a scheduled backup, select a saved backup from the list. If you are restoring a created backup, the backup file displays.
  3. Save the file. The backup ZIP file downloads to your local machine.

Perform the following steps to restore from a downloaded backup ZIP file:

  1. On the Backup/Restore Jobs page, click Create Job > Create Restore Job.
  2. Provide a name and an optional description of the backup.
  3. Click Choose File and select the previously downloaded backup ZIP file that you want to restore from.
  4. (Optional) Toggle Include .conf files to restore any configuration files included in the backup.
  5. Click Create.
    ITSI uploads the backup ZIP file and the new restore job appears in the Backup/Restore Jobs list. A message stating that the restore job has successfully completed appears in the Message drop-down list in Splunk Web.
  6. (Optional) If you restore from a backup that contains .conf files, you must restart Splunk software.

How teams are restored

Team permissions are retained when teams are restored. The roles assigned to the teams must exist on the system that the backup is restored to. For example, suppose a restore creates teams called "HR" and "Finance", which have read/write access for the hr_admin and finance_admin roles. If the current system doesn't have these roles, only the itoa_admin role can access these teams. If the roles assigned to the teams don't exist on the system, you can create them either before or after restoring.

Last modified on 15 December, 2023
Create a partial backup of ITSI   kvstore_to_json.py operations in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters