Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

backup tools

Use the ibackup.pyc tool to create, manage, and restore backups.

Logs for each run of the tool are written to /var/log/phantom/backup/backup.log.

Completed backups are stored in <PHANTOM_HOME>/phantom/data/backup.

If you are using an unprivileged installation, the logs are written to <PHANTOM_HOME>/var/log/phantom/backup/backup.log.

You can find a repository of staging files for the PostgreSQL database backup in <PHANTOM_HOME>/data/ibackup/repo/pg.

ibackup.pyc arguments

The following table shows the ibackup.pyc arguments:

Argument Description
-h, --help Shows the ibackup.pyc tool help message and exits.
--setup Prepares the instance or cluster for backup and restore.
--max-cores <value> Specifies the maximum number of processing cores allowed for database backup and restore operations. The default value is two cores.
--backup Performs a backup.
--ignore-size-check Use this argument to skip the check for available disk space before performing a backup or restore.
  • If you don't specify this argument and ibackup does not detect enough free space, you are prompted to either continue or to cancel the backup or restore operation.
  • Use this argument for unattended backup operations.
--restore <path/to/backup/> Performs a restore. You must provide a path to the the last backup tar file to perform a restore.
--set-pgbackrest-repo <path to repository> Sets the path of the pgbackrest repository.
--backup-components Selectively backs up specific Phantom components. The default is all components.

You must specify the same components for --restore-components when you restore using a backup created this way. See --restore-components for a complete list.

For example: --backup-components db,playbooks,keys

--config-only Backups include only configuration data. This always creates a full backup of configuration data. Incremental backup of configuration data is not supported.

Using the --config-only argument requires Splunk Phantom to shutdown in order to create the configuration backup.

--restore-components <components> Selectively restores specific Phantom components. The default is all components.

The following components are valid components:

  • db: the PostgreSQL database
  • configuration: the Phantom instance or cluster configuration information
  • apps: The apps installed for phantom
  • app_states: The state of each app at the time of the backup
  • playbooks: the current playbooks in the scm
  • playbooks_states: the current state of each playbook at the time of the backup
  • vault: the Phantom vault

For example: --restore-components db,playbooks,keys

--list-backups Lists existing backups and their state. Use with --verbose for more detailed output.
--delete-all Deletes all backups.

This action is irreversible.

--delete-backup-group <group number> Deletes a full backup group. Takes an integer that represents the backup group to delete.
--version Shows the ibackup.pyc tool version number and exit.
--backup-path <path/to/store/backups> Overrides the default backup path <PHANTOM_HOME>/phantom/data/backup. Takes a directory path for the directory where backups will be stored.
--backup-type <full,incr> Backup type. Using "full" creates a new full backup. Using "incr" creates an incremental on top of the current full backup.

If no full backup is taken and "incr" is given, the backup type defaults to "full". The default option if none is specified is "incr".

--set-full-backup-limit <value> Sets the maximum number of full backups allowed at once. Automatically rotates once the limit is reached.
--verbose Writes debug-level log information to the console.
--list-settings Lists the current settings for ibackup.
--no-prompt Automatically responds with "yes" to all prompts from ibackup.
The following option has been removed.
--force-pg-stop-backup Runs pg_stop_backup against the current PostgreSQL database.
Last modified on 08 September, 2021
Restore from a backup   Use ibackup.pyc with warm standby

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters