Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Perform periodic cleanup of the backup files

Splunk UBA provides scripts that automatically clean up the backup files on your system so that you don't run out of space. The following scripts are located in the /etc/cron.monthly directory to perform periodic cleanup of incremental backup and Postgres files. You can edit the scripts to update the cron settings for how frequently the scripts are run.

File Description
remove_pg_logs Postgres logs can accumulate over time and take up large amounts of space on your system. This script removes all logs older than 14 days.
remove_pg_walarchive The /backup/wal_archive directory contains the Postgres write-ahead logging (WAL) files used to recover Splunk UBA to a specific point using an incremental backup. This script removes WAL files older than 14 days. If your WAL files are not located in the /backup/wal_archive directory, edit the script to point to the location of your WAL files.

Clean up older backup files in the delete directory

Completed full backups are saved in the caspida directory. All existing backups in the caspida directory are moved to delete directory. You can safely remove all content in the delete directory to help minimize the number of files retained on the system, while also preserving recovery capability to the latest checkpoint. Perform this cleanup at least once a month.

In the following example, it is safe to remove all backup directories 0000021 to 0000038 in /backup/delete/, while keeping 1000039 to 0000045 in /backup/caspida/. The 1000039 folder contains a full backup, while all the other directories starting with zero contain incremental backups.

caspida@node1:~$ ls -t /backup/caspida/ /backup/delete/
0000045  0000044  0000043  0000042  0000041  0000040  1000039
0000038  0000036  1000034  0000032  0000030  0000028  0000026  0000024  0000022  1000020
0000037  0000035  0000033  0000031  0000029  0000027  0000025  0000023  0000021
Last modified on 20 January, 2022
Restore Splunk UBA from incremental backups   Disable automated incremental backups

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0,, 5.2.0, 5.2.1, 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters