Migrate Splunk UBA using the backup and restore scripts
Use the backup and restore scripts located in /opt/caspida/bin/utils
to migrate your Splunk UBA deployment to the next larger size on the same operating system. For example, you can migrate from 5 nodes to 7 nodes, or 10 nodes to 20 nodes. If you want to migrate from 7 nodes to 20 nodes, migrate from 7 nodes to 10 nodes first, then from 10 nodes to 20 nodes.
The restore script removes all file-based data sources and does not restore them on the target Splunk UBA system.
The following summary of the migration process uses the backup and restore scripts. For example, to migrate from a 3 node cluster to a 5 node cluster use these steps:
- Verify the requirements for using the backup and restore scripts.
- Run the
uba-backup.sh
script on the 3 node cluster. The script stops Splunk UBA, performs the backup, then restarts Splunk UBA on the 3 node cluster. - Save the
/etc/influxdb/configs
file from the management node of the 3 node cluster. - Set up the 5 node cluster so that all nodes meet the system requirements, and install Splunk UBA. The version number of the Splunk UBA software must match the version number of the backup. See the Splunk UBA installation checklist in Install and Upgade Splunk User Behavior Analytics to begin a Splunk UBA installation.
- Verify that Splunk UBA is up and running in the 5 node cluster. See Verify successful installation in Install and Upgrade Splunk User Behavior Analytics.
- Run the
uba-restore.sh
script on the 5 node cluster. The script stops Splunk UBA, restores the system from the earlier backup, then starts Splunk UBA. - Replace influx token in
/etc/influxdb/configs
on a 5 node cluster with token taken from saved configs file in step 3 IF the tokens are different from each other. - To verify everything is correct, run the following command:
influx auth list --configs-path /etc/influxdb/configs
In addition to migration, you can use the backup and restore scripts as an alternative way of capturing backups of your Splunk UBA system, in addition to or in place of the automated incremental backups. See Backup and restore Splunk UBA using automated incremental backups.
Requirements for using the backup and restore scripts
Make sure the following requirements are met before using the backup and restore scripts:
- The target system you are migrating to must be set up with Splunk UBA already up and running.
- The backup system and the target system you are migrating to must have the same version of Splunk UBA running on the same operating system.
- The target system you are migrating to must be the same size or one deployment size larger than the backup system. See Scaling your Splunk UBA deployment in the Plan and Scale your Splunk UBA Deployment manual for information about the supported Splunk UBA deployment sizes.
- The backup and restore scripts are case-sensitive. Verify that your DNS host name is an exact match with the host names in
/etc/hosts
and/etc/hostname
. See Configure host name lookups and DNS in Install and Upgrade Splunk User Behavior Analytics.
Backup disk size requirements
Add an additional disk to the Splunk UBA management node mounted as /var/vcap/ubabackup
for the Splunk UBA backups.
The size of the additional disk must follow these guidelines:
- The disk size must be at least half the size of your deployment in terabytes. For example, a 10-node system requires a 5TB disk.
- If you are creating archives, allow for an additional 50 percent of the backup disk size. For example, a 10-node system requires a 5TB disk for backups, and an additional 2.5TB if for archives, so you would need a 7.5TB disk for archived backups.
The table summarizes the minimum disk size requirements for Splunk UBA backups per deployment:
Number of Splunk UBA Nodes | Minimum Disk Size for Backup (without archives) | Minimum Disk Size for Backup (with archives) |
---|---|---|
1 Node | 1TB | 1.5TB |
3 Nodes | 1TB | 1.5TB |
5 Nodes | 2TB | 3TB |
7 Nodes | 4TB | 6TB |
10 Nodes | 5TB | 7.5TB |
20 Nodes | 10TB | 15TB |
If you have previous backups on the same disk, be sure to also take this into account when determining available disk space.
Scheduling Splunk UBA backups
Perform or schedule backups of Splunk UBA at 10:00 PM local time to avoid conflicts with the offline models, which begin running at Midnight each night.
How long will my backup take?
The amount of time it takes to perform a backup depends on a number of factors, such as:
- The size of your environment
- The age of your environment
- Network bandwidth
- Storage throughput
- Splunk UBA on cloud deployments may be subject to performance restrictions that will significantly increase the backup/restore time
- Creating a compressed archive will take considerably longer due to the time required to compress the data
As an example, a large multi-node deployment with 5TB of data may complete a backup in less than 2 hours if the network bandwidth and storage throughput are not limiting factors.
Use the Splunk UBA login type when Splunk authentication or SSO is not available | How to handle your Splunk UBA web interface certificates during migration |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0, 5.4.1
Feedback submitted, thanks!