Stop the primary system from synchronizing with the standby system
If you have a case where the standby Splunk UBA system fails, perform the following tasks to stop the primary system from trying to synchronize with the standby system:
- Log in to the management node of the primary Splunk UBA system as caspida.
- Stop all Splunk UBA services:
/etc/caspida/local/conf/uba-site.propertiesand change the
replication.enabledproperty to false:
- Synchronize the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Start Splunk UBA services:
In cases where warm standby can't be configured, you can continue to use automated incremental backups for your Splunk UBA data. See Configure automated incremental backups in Splunk UBA.
Change the role of both systems to switch the primary and standby systems
Clean up the standby system if you accidentally started Splunk UBA services
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 18.104.22.168, 5.0.5, 22.214.171.124