Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

backup tools

Use the ibackup tool to create, manage, and restore backups for Splunk SOAR (On-premises). The backup file can be transferred to another system and used to restore the state of the system at the time the backup was created.

On privileged deployments, logs for each run of the tool are written to /var/log/phantom/backup/backup.log, and completed backups are stored in <PHANTOM_HOME>/phantom/data/backup.

On all unprivileged deployments, the logs are written to <PHANTOM_HOME>/var/log/phantom/backup/backup.log, and backups are stored in <PHANTOM_HOME>/phantom/data/backup.

You can find a repository of staging files for the PostgreSQL database backup in <PHANTOM_HOME>/data/ibackup/repo/pg.

ibackup arguments

The following table shows the ibackup arguments:

Argument Description
 -h, --help Shows the ibackup tool help message and exits.
 --setup Prepares the instance or cluster for backup and restore.
 --max-cores <maximum number of CPU cores> Specifies the maximum number of processing cores allowed for database backup and restore operations. Specify more cores to increase backup performance. Reduce the number of cores if making backups reduce system performance. The default value is two cores. The minimum value is one core.
 --backup Performs a backup.
 --restore <path/to/backup/> Performs a restore. You must provide a path to the desired backup tar file to perform a restore.
 --set-pgbackrest-repo <path/to/repository> Sets the path of the pgbackrest repository. If you specify a different repository, you will need to specify the path to backups in your --restore commands.
 --ibackup-root <path/to/backup_root_directory> Use this argument to override the root directory for ibackup.
--ibackup-root is different from the --backup-path argument which sets a path for a single backup, because the --ibackup-root argument overrides the default root directory for all backups in a group.
  • The directory must already exist and belong to the user account that runs Splunk SOAR (On-premises).
  • This argument must be supplied when you use the --setup, --backup,
    and --restore commands.
  • This argument must be supplied for all backups in a backup group.
 --backup-components <list of components> Selectively backs up specific components. The default is all components.

You must specify the same components for --restore-components when you restore using a backup created this way. See --restore-components for a complete list.

For example: --backup-components db,playbooks,keys

 --fs-only Backup only critical files. Use this in conjunction with AWS backup tools on systems in AWS with RDS databases.

Only GlusterFS, XFS, ext4, and NFS filesystems are supported. Other filesystems are not backed up using ibackup.

 --config-only Backups include only configuration data. This always creates a full backup of configuration data. Incremental backup of configuration data is not supported.

Using the --config-only argument requires Splunk SOAR (On-premises) to shutdown in order to create the configuration backup.

 --restore-components <list of components> Selectively restores specific components. The default is all components.

The following components are valid components:

  • db: the PostgreSQL database
  • configuration: the instance or cluster configuration information
  • apps: The apps installed for
  • app_states: The state of each app at the time of the backup
  • playbooks: the current playbooks in the scm
  • playbooks_states: the current state of each playbook at the time of the backup
  • vault: the vault

For example: --restore-components db,playbooks,keys

 --list-backups Lists existing backups and their state. Use with --verbosity for more detailed output.
 --delete-all Deletes all backups. You must restart PostgreSQL after using this option.
phsvc restart postgresql

This action is irreversible.

 --delete-backup-group <group number> Deletes a full backup group. Takes an integer that represents the backup group to delete.
 --backup-path <path/to/store/backups> Overrides the default backup path <PHANTOM_HOME>/phantom/data/backup. Takes a directory path for the directory where backups will be stored.
 --backup-type <full, incr> Backup type.
  • Using full creates a new full backup.
  • Using incr creates an incremental on top of the current full backup.
  • If no full backup is taken and incr is given, the backup type defaults to full.

The default option if none is specified is incr.

 --set-full-backup-limit <value> Sets the maximum number of full backups allowed at once. Automatically rotates once the limit is reached.
 --list-settings Lists the current settings for ibackup.
 --force-pg-stop-backup This option has been removed.
 --no-prompt Automatically responds with "yes" to all prompts from ibackup.
 --ignore-size-check Use this argument to skip the check for available disk space before performing a backup or restore.
  • If you don't specify this argument and ibackup does not detect enough free space, you are prompted to either continue or to cancel the backup or restore operation.
  • Use this argument for unattended backup operations.
 --ignore-env-check Ignore the environment check when running ibackup.
-v <0,1, 2, 3> --verbosity <0,1, 2, 3> Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output
 --no-color Don't colorize the command output.
Last modified on 16 July, 2024
Restore from a backup   Use ibackup with warm standby

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters