Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Restore from a backup

You can use backups in conjunction with the Warm Standby feature for additional protection against system failure.

For deployments of Splunk SOAR (On-premises) in AWS that use RDS for their PostgreSQL database: Do not use the ibackup command. Create backups using the backup.pyc tool and perform restores using the restore.pyc tool, as described in Backup the external PostgreSQL database with the Relational Database System (RDS).

In clustered deployments, you must issue all backup and restore commands from the same cluster node.

Prepare your system for restore

Before you can perform a restore in your deployment, you must prepare your system. This preparation is especially important if you are restoring data from one deployment to another deployment.

You don't need to perform these steps when restoring a backup to the same deployment; backup creation includes the setup step.

To prepare your deployment before restoring, perform the following steps:

  1. From the command line, SSH to your instance or cluster node.
    ssh <username>@<phantom_hostname>
  2. Prepare the system for a restore.
    phenv ibackup --setup

Restore your deployment from a full backup

To restore your deployment from a full backup, follow these steps:

  1. From the command line, SSH to your instance or cluster node.
    ssh <username>@<phantom_hostname>
  2. Prepare the system for a restore.
    phenv ibackup --setup
  3. Copy your <number>_phantom_backup.tar from storage to the instance or cluster node you are restoring.
  4. Perform the restore. See the following notes.
    phenv ibackup --restore <path/to/<number>_phantom_backup.tar>

Use the --ignore-env-check flag to disable the check for identical variables on the restore instance and backup instance.

Restore a full backup for deployments with an external PostgreSQL database in RDS

Amazon Web Services RDS provides automatic backups of hosted PostgreSQL databases which are managed and restored using the management console. See Backing up and restoring a DB instance in the AWS documentation.

  • The filesystem backup of your deployment must be created using the use the --fs-only option of the ibackup tool.
  • You can restore the filesystem backup using the --restore option of the ibackup tool.

See Splunk SOAR (On-premises) backup tools.

Restore your system from an incremental backup

You must prepare the system before restoring your system from an incremental backup. See Prepare your system for restore earlier in this topic.

Incremental backups contain only the changes made to your instance since the last full backup or previous incremental backup. An incremental backup is not sufficient to restore a system on its own. It must be used with the related full backup and any intermediate backups.

Here is a sample sequence of restoring your system from an incremental backup. The sequence is important, but there can be varying increments of time between the steps.

  1. Create a full backup called phantom_backup_group_0_level_0.tar.
  2. Create an incremental backup called phantom_backup_group_0_level_1.tar, which is based on phantom_backup_group_0_level_0.tar.
  3. Create a second incremental backup called phantom_backup_group_0_level_2.tar, which is based on phantom_backup_group_0_level_1.tar and phantom_backup_group_0_level_0.tar.

Remember these important points when restoring your system from the sequential files:

  • You can restore phantom_backup_group_0_level_0.tar alone.
  • You cannot restore phantom_backup_group_0_level_1.tar without phantom_backup_group_0_level_0.tar.
  • You cannot restore phantom_backup_group_0_level_2.tar without phantom_backup_group_0_level_0.tar and phantom_backup_group_0_level_1.tar.

Restore the incremental backup

To restore the incremental backup, follow these steps:

  1. From the command line, SSH to your instance or cluster node.
    ssh <username>@<phantom_hostname>
  2. Prepare the system for a restore.
    phenv ibackup --setup
  3. Copy the full backup TAR file and any incremental-level TAR files from storage to the instance or cluster node you are restoring.
  4. Perform the restore. Enter the file name of the last incremental backup file you want to restore.
    phenv ibackup --restore < phantom_backup_group_<#>_level_<#>.tar >

Use the --ignore-env-check flag to disable the check for identical variables on the restore instance and backup instance.

Determine whether the system restore was successful

If the restore is successful, it writes information to the console. Here is an example of console output from a successful restore:

[phantom@phantom bin]# phenv ibackup --restore /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar 
[06/Feb/2020 20:10:15] INFO: Running ibackup - details will be logged to /var/log/phantom/backup/ibackup_2020-02-06T20:10:15.089127Z.log
[06/Feb/2020 20:10:15] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:10:17] INFO: Checking filesystem backup state at /opt/phantom/data/ibackup/repo/fs
[06/Feb/2020 20:10:17] INFO: Restoring this backup requires utilizing 9.11334507138% of the total volume capacity
[06/Feb/2020 20:10:17] INFO: Available: 45901836288 , Required: 2008317952.0
[06/Feb/2020 20:10:21] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:21] INFO: Retrying ...
[06/Feb/2020 20:10:22] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:22] INFO: Retrying ...
[06/Feb/2020 20:10:24] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:24] INFO: Retrying ...
[06/Feb/2020 20:10:28] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:28] INFO: Retrying ...
[06/Feb/2020 20:10:36] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:10:38] INFO: Extracting backup file /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar
[06/Feb/2020 20:11:08] INFO: Restoring files to filesystem
[06/Feb/2020 20:11:17] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:11:27] INFO: Restore complete

Prepare for subsequent backups

After restoring your system, you must run phenv ibackup --setup again before you can make new backups. See Prepare your system for restore earlier in this topic.

Last modified on 20 February, 2024
Back up a deployment   backup tools

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters