Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Prepare automated incremental backups in Splunk UBA

Configure periodic full and incremental backups without stopping Splunk UBA. When configured, Splunk UBA will perform a full backup of your system, followed by periodic incremental backups. The incremental backups include any changes to system configurations, custom models, anomaly action rules, HR data and entities, and, threats and anomalies.

  • Periodic incremental backups are performed without stopping Splunk UBA. You can configure the frequency of these backups by configuring the cron job in the ReplicationCoordinator property in the /etc/caspida/local/conf/caspida-jobs.json file. See Configure automated incremental backups in Splunk UBA for instructions.
  • A weekly full backup is performed without stopping Splunk UBA. You can configure the frequency of these backups using the backup.filesystem.full.interval property.

Use incremental backup and restore when you want to backup and restore Splunk UBA to the same operating system and same number of nodes.

You can use incremental backup and restore as an HA/DR solution that is less resource-intensive than the warm standby solution described in Configure warm standby in Splunk UBA. You can use the backups to restore Splunk UBA on the existing server, or on a new separate server.

Backup disk size requirements

Add an additional disk to the Splunk UBA management node mounted as /backup for the Splunk UBA backups.

The size of the additional disk must follow these guidelines:

  • The disk size must be at least half the size of your deployment in terabytes. For example, a 10-node system requires a 5TB disk.
  • If you are creating archives, allow for an additional 50 percent of the backup disk size. For example, a 10-node system requires a 5TB disk for backups, and an additional 2.5TB if for archives, so you would need a 7.5TB disk for archived backups.

The table summarizes the minimum disk size requirements for Splunk UBA backups per deployment:

For 20 node instances, the disk sizes in this table must be installed on both node1 and node2.

Number of Splunk UBA Nodes Minimum Disk Size for Backup (without archives) Minimum Disk Size for Backup (with archives)
1 Node 1TB 1.5TB
3 Nodes 1TB 1.5TB
5 Nodes 2TB 3TB
7 Nodes 4TB 6TB
10 Nodes 5TB 7.5TB
20 Nodes - Classic 10TB 15TB
20 Nodes - XL 30TB 45TB

If you have previous backups on the same disk, be sure to also take this into account when determining available disk space. See Prepare to backup Splunk UBA in Administer Splunk User Behavior Analytics.

Scheduling Splunk UBA backups

Perform or schedule backups of Splunk UBA at 10:00 PM local time to avoid conflicts with the offline models, which begin running at Midnight each night.

How long will my backup take?

The amount of time it takes to perform a backup depends on a number of factors, such as:

  • The size of your environment
  • The age of your environment
  • Network bandwidth
  • Storage throughput
  • Splunk UBA on cloud deployments may be subject to performance restrictions that will significantly increase the backup/restore time
  • Creating a compressed archive will take considerably longer due to the time required to compress the data

As an example, a large multi-node deployment with 5TB of data may complete a backup in less than 2 hours if the network bandwidth and storage throughput are not limiting factors.

Last modified on 08 November, 2024
Verify Splunk UBA is up and running after migration   Backup and restore Splunk UBA using automated incremental backups

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters