Splunk® IT Service Intelligence

Administration Manual

Overview of backing up and restoring ITSI KV store data

Regularly backing up the KV store lets you restore your IT Service Intelligence (ITSI) data from a backup in the event of a disaster or if you add a search head to a cluster. You can perform both full backups and partial backups of your data.

When you run a backup job, ITSI saves your data to a set of JSON files compressed into a single ZIP file located in $SPLUNK_HOME/var/itsi/backups on the search head. ITSI detects and preserves the application version that it creates a backup from. When you restore from a backup, ITSI detects the correct version of the backup and performs the required migration.

You can perform the following backup and restore operations within ITSI:

Splunk Cloud Platform customers must back up and restore their data from the ITSI user interface.

The following table describes the functionality available in each backup and restore method:

Method Backup/Restore UI Command line script Comments
Full backup X X  
Partial backup X X If you perform a partial backup using the command line script, the backup does not include dependent objects.
Partial restore X  
Merge changes during restore
X X Merges objects in the backup with existing KV store objects.
Clean restore
  X Replaces existing KV store objects with objects in the backup.

In addition to any custom backup jobs you create, ITSI also takes a default scheduled backup of your KV store data every day at 1:00 AM. For more information, see About the default scheduled backup in ITSI.

Difference between an ITSI backup and a Splunk Enterprise backup

Splunk Enterprise offers an option to back up and restore the KV store. For more information, see Back up and restore KV store in the Splunk Enterprise Admin Manual. However, an ITSI backup is specifically formatted to process the content in the ITSI backup files. The Splunk Enterprise backup is not formatted like an ITSI backup, so you cannot use it to back up your ITSI data.

ITSI processes all backup content. ITSI also triggers many other activities, such as saved search generation and object dependency updates. Directly restoring Splunk Enterprise KV store data does not restore the ITSI system completely. Instead, use the processes described in this topic to back up your ITSI data.

What gets backed up

The following table describes the types of data included and not included in an ITSI backup.

Data Included in backup? Example
KV store objects Yes Services, service templates, entities, KPIs, KPI base searches, teams, glass tables, service analyzers, deep dives
Indexed data No ITSI summary index, notable events

To back up indexed data, use the same approach you use to back up other Splunk indexes. For more information, see Back up indexed data in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Back up and restore in a search head cluster environment

You can run backup and restore jobs from the Backup/Restore page in search head cluster environments. You can create a backup on any cluster member and then restore data from that backup on any cluster member, regardless of where you initiated the backup.

For example, suppose your search head cluster has three cluster members: sh-01, sh-02, and sh-03. If you create a backup on sh-01, you can restore that backup on sh-01, sh-02, or sh-03.

When you create a backup on any search head cluster member, the configuration data from all cluster members is backed up. Likewise, when you restore from a backup on any cluster member, configuration data is restored across all cluster members.

In a search head cluster environment, the scheduled backup runs only on the search head cluster captain. However, you can restore a scheduled backup from any cluster member. If you download the scheduled backup, make sure to download it from the captain as it contains the latest backup.

Last modified on 28 April, 2023
Schedule maintenance downtime in ITSI   About the default scheduled backup in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters