Overview of backing up and restoring ITSI KV store data
Regularly backing up the KV store lets you restore your IT Service Intelligence (ITSI) data from a backup in the event of a disaster or if you add a search head to a cluster. You can perform both full backups and partial backups of your data.
When you run a backup job, ITSI saves your data to a set of JSON files compressed into a single ZIP file located in
$SPLUNK_HOME/var/itsi/backups on the search head. ITSI detects and preserves the application version that it creates a backup from. When you restore from a backup, ITSI detects the correct version of the backup and performs the required migration.
You can perform the following backup and restore operations within ITSI:
- Create a full backup of ITSI
- Create a partial backup of ITSI
- Restore a full or partial backup of ITSI
Splunk Cloud customers must back up and restore their data from the ITSI user interface.
The following table describes the functionality available in each backup and restore method:
|Method||Backup/Restore UI||Command line script||Comments|
|Partial backup||X||X||If you perform a partial backup using the command line script, the backup does not include dependent objects.|
|Merge changes during restore
||X||X||Merges objects in the backup with existing KV store objects.|
||X||Replaces existing KV store objects with objects in the backup.|
In addition to any custom backup jobs you create, ITSI also takes a default scheduled backup of your KV store data every day at 1:00 AM. For more information, see About the default scheduled backup in ITSI.
Difference between an ITSI backup and a Splunk Enterprise backup
Splunk Enterprise offers an option to back up and restore the KV store. For more information, see Back up and restore KV store in the Splunk Enterprise Admin Manual. However, an ITSI backup is specifically formatted to process the content in the ITSI backup files. The Splunk Enterprise backup is not formatted like an ITSI backup, so you cannot use it to back up your ITSI data.
ITSI processes all backup content. ITSI also triggers many other activities, such as saved search generation and object dependency updates. Directly restoring Splunk Enterprise KV store data does not restore the ITSI system completely. Instead, use the processes described in this topic to back up your ITSI data.
What gets backed up
The following table describes the types of data included and not included in an ITSI backup.
|Data||Included in backup?||Example|
|KV store objects||Yes||Services, service templates, entities, KPIs, KPI base searches, teams, glass tables, service analyzers, deep dives|
|Indexed data||No||ITSI summary index, notable events|
To back up indexed data, use the same approach you use to back up other Splunk indexes. For more information, see Back up indexed data in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Back up and restore in a search head cluster environment
You can run backup and restore jobs from the Backup/Restore page in search head cluster environments. You can create a backup on any cluster member and then restore data from that backup on any cluster member, regardless of where you initiated the backup.
For example, suppose your search head cluster has three cluster members:
sh-03. If you create a backup on
sh-01, you can restore that backup on
When you create a backup on any search head cluster member, the configuration data from all cluster members is backed up. Likewise, when you restore from a backup on any cluster member, configuration data is restored across all cluster members.
In a search head cluster environment, the scheduled backup runs only on the search head cluster captain. However, you can restore a scheduled backup from any cluster member. If you download the scheduled backup, make sure to download it from the captain as it contains the latest backup.
Schedule maintenance downtime in ITSI
About the default scheduled backup in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2