Splunk ITSI : Lost backup files on /var/itsi/backu...

Master_Blaster · ‎05-07-2021

Hello,

We were using ITSI 4.3.1. as it had some issues, we decided to uninstall & freshly install 4.7.2.

We took backup of current configuration using "create backup job" on ITSI GUI. And, I verified that, we had backup jobs stored on /var/itsi/backups directory on respective search head server.

However, after installing 4.7.2 i can't see any backup jobs available on respective directory. it got overwritten by 4.7.2 backups as below.

[root@server backups]# pwd
/opt/splunk/var/itsi/backups
[root@server backups]# ls
ItsiDefaultScheduledBackup-1620340301.zip
ItsiDefaultScheduledBackup-1620343842.zip

Is there any way to retrieve full & partial backups which we took on earlier version (4.3.2) as we had all our services, KPI's there and we don't have any other backups taken for same ?

Thanks in advance for your support.

yannK · ‎09-03-2021

ITSI default backups do rotate,

- in older versions the last one was overwritten

- since 4.3 and later, the last 7 are kept. and the file name changed too include the date.
see https://docs.splunk.com/Documentation/ITSI/4.3.0/ReleaseNotes/Newfeatures

The backups you have seems to be in the new format.

I do not know why the older ones are gone, is it a bug, did you clean up the folder during the reinstall ?
if you wiped the kvstore, it's possible that the record of the backups was lost, and the old files cleaned up ?

Master_Blaster · ‎05-07-2021

@somesoni2 @woodcock Please help

Splunk ITSI : Lost backup files on /var/itsi/backups

installation

troubleshooting

using ITSI

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices