Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Prepare to backup Splunk UBA

Read and verify important information before backing up Splunk UBA.

Splunk UBA backups can be restored in the following scenarios:

Backup Method Description and Use Case
Backup and restore Splunk UBA using automated incremental backups Configure periodic full and incremental backups without stopping Splunk UBA. When configured, Splunk UBA will perform a full backup of your system, followed by periodic incremental backups. The incremental backups include any changes to system configurations, custom models, anomaly action rules, HR data and entities, and, threats and anomalies.


Use incremental backup and restore when you want to backup and restore Splunk UBA to the same operating system and same number of nodes.

Migrate Splunk UBA using the backup and restore scripts Run a script to stop Splunk UBA and perform a full backup.


Use the backup and restore scripts to migrate your Splunk UBA deployment to a larger number of nodes on the same operating system.

The restore script removes all file-based data sources and does not restore them on the target Splunk UBA system.

Backup disk size requirements

Add an additional disk to the Splunk UBA management node mounted as /backup for the Splunk UBA backups.

The size of the additional disk must follow these guidelines:

  • The disk size must be at least half the size of your deployment in terabytes. For example, a 10-node system requires a 5TB disk.
  • If you are creating archives, allow for an additional 50 percent of the backup disk size. For example, a 10-node system requires a 5TB disk for backups, and an additional 2.5TB if for archives, so you would need a 7.5TB disk for archived backups.

The table summarizes the minimum disk size requirements for Splunk UBA backups per deployment:

Number of Splunk UBA Nodes Minimum Disk Size for Backup (without archives) Minimum Disk Size for Backup (with archives)
1 Node 1TB 1.5TB
3 Nodes 1TB 1.5TB
5 Nodes 2TB 3TB
7 Nodes 4TB 6TB
10 Nodes 5TB 7.5TB
20 Nodes 10TB 15TB

If you have previous backups on the same disk, be sure to also take this into account when determining available disk space.

Scheduling Splunk UBA backups

Perform or schedule backups of Splunk UBA at 10:00 PM local time to avoid conflicts with the offline models, which begin running at Midnight each night.

How long will my backup take?

The amount of time it takes to perform a backup depends on a number of factors, such as:

  • The size of your environment
  • The age of your environment
  • Network bandwidth
  • Storage throughput
  • Splunk UBA on cloud deployments may be subject to performance restrictions that will significantly increase the backup/restore time
  • Creating a compressed archive will take considerably longer due to the time required to compress the data

As an example, a large multi-node deployment with 5TB of data may complete a backup in less than 2 hours if the network bandwidth and storage throughput are not limiting factors.

Last modified on 18 February, 2022
Use the Splunk UBA login type when Splunk authentication or SSO is not available   Backup and restore Splunk UBA using automated incremental backups

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.1, 5.0.2, 5.0.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters