Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Restore from a backup

Restoring a backup requires root permissions.

You must restore a backup to an instance with the same privilege level. You can restore a backup from a privileged instance of to another privileged instance, or from an unprivileged instance to another unprivileged instance. You cannot restore a backup from a privileged instance to an unprivileged instance or from an unprivileged instance to a privileged instance.

You can use backups in conjunction with the Warm Standby feature for additional protection against system failure.

In clustered deployments, you must issue all backup and restore commands from the same cluster node.

Prepare your system for restore

Before you can perform a restore in your deployment, you must prepare your system. This preparation is especially important if you are restoring data from one deployment to another deployment.

You don't need to perform these steps when restoring a backup to the same deployment; backup creation includes the setup step.

To prepare your deployment before restoring, perform the following steps:

  1. From the command line, SSH to your instance or cluster node.
    SSH <username>@<phantom_hostname>
  2. Change the directory to <PHANTOM HOME>/bin.
    cd <PHANTOM_HOME>/bin
  3. Prepare the system for a restore.
    sudo phenv python ibackup.pyc --setup


Restore your deployment from a full backup

To restore your deployment from a full backup, follow these steps:

  1. From the command line, SSH to your instance or cluster node.
    SSH <username>@<phantom_hostname>
  2. Change the directory to <PHANTOM HOME>/bin.
    cd <PHANTOM_HOME>/bin
  3. Prepare the system for a restore.
    sudo phenv python ibackup.pyc --setup
  4. Copy your <number>_phantom_backup.tar from storage to the instance or cluster node you are restoring.
  5. Perform the restore. See note below.
    sudo phenv python ibackup.pyc --restore <path/to/<number>_phantom_backup.tar>

For deployments of Splunk SOAR (On-premises) in AWS that use RDS for their PostgreSQL database: Do not use ibackup.pyc. Create backups using the backup.pyc tool and perform restores using the restore.pyc tool, as described in Backup the external PostgreSQL database with the Relational Database System (RDS).

Restore a full backup for deployments with an external PostgreSQL database in RDS

If your deployment uses Amazon Web Services (AWS) RDS to host 's PostgreSQL database, you cannot use ibackup.pyc to back up or restore the database. Instead, use a combination of the automatic backups in RDS and the older backup.pyc and restore.pyc tools. For information on using the back up and restore features of RDS, see Backing up and restoring an Amazon RDS DB instance in the AWS documentation. To perform a restore using the restore.pyc tool, follow these steps:

  1. From the command line, SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Change the directory to <PHANTOM HOME>/bin.
    cd <PHANTOM_HOME>/bin
  3. Perform the backup.
    sudo phenv python restore.pyc --file <PATH/TO/BACKUP/FILE>
    For this use, you can safely ignore the deprecation warning.

The command output looks like this:

[root@phantom bin]# phenv python restore.pyc --file /opt/phantom/data/phantom_backups/phantom_backup_2020-09-09-22-49-17.tgz
[pid: 10562] [09/Sep/2020 23:03:06]   restore.py:692  WARNING: The --all option of the backup.pyc script has been deprecated. Please use the ibackup.pyc script to perform backups and restores. Documentation for the new script can be found at https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Admin/BackupOrRestoreOverview. The --config option of the backup.pyc script will continue to work with ibackup.pyc.

[2020-09-09 23:03:06] The --all option of the backup.pyc script has been deprecated. Please use the ibackup.pyc script to perform backups and restores. Documentation for the new script can be found at https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Admin/BackupOrRestoreOverview. The --config option of the backup.pyc script will continue to work with ibackup.pyc.


restore.pyc 2.0.0
[2020-09-09 23:03:06] Stopping all Phantom services except PostgreSQL
Stopping Supervisor daemon manager...[  OK  ]
/opt/phantom/proxy/bin/splunk_proxyd is already stopped
Stopping phantom_actiond:                                  [  OK  ]
Stopping phantom_workflowd:                                [  OK  ]
Stopping phantom_ingestd:                                  [  OK  ]
Stopping phantom_decided:                                  [  OK  ]
[2020-09-09 23:03:12] Extracting backup tarball (this may take a while)
The backup file appears to be a full backup.  This will overwrite any existing data upon restore.  Proceed? [y/N]y
[2020-09-09 23:03:21] Loading tables from backup into database
[===========================================================================] 100%
[2020-09-09 23:03:24] Deleting existing Phantom database records
[===========================================================================] 100%
[2020-09-09 23:03:31] Inserting backup rows into main tables
[===========================================================================] 100%
[2020-09-09 23:03:31] Dropping temporary archive tables used for backup
[===========================================================================] 100%
[2020-09-09 23:03:32] Finalizing transaction
[2020-09-09 23:03:32] Updating the main menu
[2020-09-09 23:03:32] Restoring specific Phantom file backups
[===========================================================================] 100%
[2020-09-09 23:03:32] Configuring NGINX SSL certificates (this may take a while)
[2020-09-09 23:03:44] Restoring Phantom subdirectories
[===========================================================================] 100%
[2020-09-09 23:04:05] Running /opt/phantom/bin/start_phantom.sh
Starting all Phantom services
Phantom startup successful
[2020-09-09 23:04:09] Resetting passwords for Splunk users
[2020-09-09 23:04:17] Done resetting Splunk user passwords
Stopping Supervisor daemon manager...[  OK  ]
Starting Supervisor daemon manager...[  OK  ]
Logs recorded in /opt/phantom/data/phantom_backups/phantom_backup_restore_2020-09-09-23-03-06.log

Restore your system from an incremental backup

You must prepare the system before restoring your system from an incremental backup. See Prepare your system for restore earlier in this topic.

Incremental backups contain only the changes made to your instance since the last full backup or previous incremental backup. An incremental backup is not sufficient to restore a system on its own. It must be used with the related full backup and any intermediate backups.

Here is a sample sequence of restoring your system from an incremental backup. The sequence is important, but there can be varying increments of time between the steps.

  1. Create a full backup called phantom_backup_group_0_level_0.tar.
  2. Create an incremental backup called phantom_backup_group_0_level_1.tar, which is based on phantom_backup_group_0_level_0.tar.
  3. Create a second incremental backup called phantom_backup_group_0_level_2.tar, which is based on phantom_backup_group_0_level_1.tar and phantom_backup_group_0_level_0.tar.

Remember these important points when restoring your system from the sequential files:

  • You can restore phantom_backup_group_0_level_0.tar alone.
  • You cannot restore phantom_backup_group_0_level_1.tar without phantom_backup_group_0_level_0.tar.
  • You cannot restore phantom_backup_group_0_level_2.tar without phantom_backup_group_0_level_0.tar and phantom_backup_group_0_level_1.tar.

Restore the incremental backup

To restore the incremental backup, follow these steps:

  1. From the command line, SSH to your instance or cluster node.
    SSH <username>@<phantom_hostname>
  2. Change the directory to <PHANTOM HOME>/bin.
    cd <PHANTOM_HOME>/bin
  3. Prepare the system for a restore.
    sudo phenv python ibackup.pyc --setup
  4. Copy the full backup TAR file and any incremental-level TAR files from storage to the instance or cluster node you are restoring.
  5. Perform the restore. Enter the file name of the last incremental backup file you want to restore.
    sudo phenv python ibackup.pyc --restore < phantom_backup_group_<#>_level_<#>.tar >

Determine whether the system restore was successful

If the restore is successful, it writes information to the console. Here is an example of console output from a successful restore:

[root@phantom bin]# phenv python ibackup.pyc --restore /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar 
[06/Feb/2020 20:10:15] INFO: Running ibackup.pyc - details will be logged to /var/log/phantom/backup/ibackup_2020-02-06T20:10:15.089127Z.log
[06/Feb/2020 20:10:15] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:10:17] INFO: Checking filesystem backup state at /opt/phantom/data/ibackup/repo/fs
[06/Feb/2020 20:10:17] INFO: Restoring this backup requires utilizing 9.11334507138% of the total volume capacity
[06/Feb/2020 20:10:17] INFO: Available: 45901836288 , Required: 2008317952.0
[06/Feb/2020 20:10:21] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:21] INFO: Retrying ...
[06/Feb/2020 20:10:22] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:22] INFO: Retrying ...
[06/Feb/2020 20:10:24] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:24] INFO: Retrying ...
[06/Feb/2020 20:10:28] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:28] INFO: Retrying ...
[06/Feb/2020 20:10:36] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:10:38] INFO: Extracting backup file /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar
[06/Feb/2020 20:11:08] INFO: Restoring files to filesystem
[06/Feb/2020 20:11:17] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:11:27] INFO: Restore complete

Prepare for subsequent backups

After restoring your system, you must run sudo phenv python ibackup.pyc --setup again before you can make new backups. See Prepare your system for restore earlier in this topic.

Last modified on 21 November, 2023
Back up a deployment   backup tools

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters