Perform periodic cleanup of the backup files
Splunk UBA provides scripts that automatically clean up the backup files on your system so that you don't run out of space. The following scripts are located in the /etc/cron.monthly directory to perform periodic cleanup of incremental backup and Postgres files. You can edit the scripts to update the cron settings for how frequently the scripts are run.
|remove_pg_logs||Postgres logs can accumulate over time and take up large amounts of space on your system. This script removes all logs older than 14 days.|
|remove_pg_walarchive||The /backup/wal_archive directory contains the Postgres write-ahead logging (WAL) files used to recover Splunk UBA to a specific point using an incremental backup. This script removes WAL files older than 14 days. If your WAL files are not located in the /backup/wal_archive directory, edit the script to point to the location of your WAL files.|
Clean up older backup files in the delete directory
Completed full backups are saved in the
caspida directory. All existing backups in the
caspida directory are moved to
delete directory. You can safely remove all content in the
delete directory to help minimize the number of files retained on the system, while also preserving recovery capability to the latest checkpoint. Perform this cleanup at least once a month.
In the following example, it is safe to remove all backup directories
/backup/delete/, while keeping
1000039 folder contains a full backup, while all the other directories starting with zero contain incremental backups.
caspida@node1:~$ ls -t /backup/caspida/ /backup/delete/ /backup/caspida/: 0000045 0000044 0000043 0000042 0000041 0000040 1000039 /backup/delete/: 0000038 0000036 1000034 0000032 0000030 0000028 0000026 0000024 0000022 1000020 0000037 0000035 0000033 0000031 0000029 0000027 0000025 0000023 0000021
Restore Splunk UBA from incremental backups
Disable automated incremental backups
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 18.104.22.168, 5.2.0, 5.2.1, 5.3.0