Splunk IT Service Intelligence

Splunk ITSI : Lost backup files on /var/itsi/backups



We were using ITSI  4.3.1. as it had some issues, we decided to uninstall & freshly install 4.7.2. 

We took backup of current configuration using "create backup job"  on ITSI GUI. And, I verified that, we had backup jobs stored on /var/itsi/backups directory on respective search head server.

However, after installing 4.7.2 i can't see any backup jobs available on respective directory. it got overwritten by 4.7.2 backups as below.

[root@server backups]# pwd
[root@server backups]# ls


Is there any way to retrieve full & partial backups which we took on earlier version (4.3.2) as we had all our services, KPI's there and we don't have any other backups taken for same ?

Thanks in advance for your support. 

Labels (3)
0 Karma

Splunk Employee
Splunk Employee

ITSI default backups do rotate, 

- in older versions the last one was overwritten

- since 4.3 and later, the last 7 are kept. and the file name changed too include the date.
see https://docs.splunk.com/Documentation/ITSI/4.3.0/ReleaseNotes/Newfeatures

The backups you have seems to be in the new format.

I do not know why the older ones are gone, is it a bug, did you clean up the folder during the reinstall ?
if you wiped the kvstore, it's possible that the record of the backups was lost, and the old files cleaned up ?

0 Karma


@somesoni2 @woodcock Please help

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...