Splunk ITSI

How ITSI backup and restore works for custom "ITSI Import Objects" and entities?

vinothnaga
Explorer

Hi All,

We have two different on-prem environment one lower and higher environment.

While promoting the ITSI changes from lower environment to higher environment using ITSI full backup and restore method i am facing the below issues..

  1. I am unable to restore the newly/custom created ITSI Import objects (which is stores under itsi/local app as part of creating entities from saved search and setting up a recurring import)
    1. As per the documentation if the savedsearch is stored itsi/local this excluded from backup and restore then what process to follow to promote this to higher environment.
      vinothnaga_1-1679404976659.png

       


       

    2. As part of this backup and restore by default all the entities are promoted to higher is there any way to restrict to promoting entities alone because based on the environment the entities changes..


      Thanks in advance

 

Labels (3)
Tags (1)
0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

I have come across this many times as well. Your best option in my opinion is to move the savedsearches, macros etc. from the /itsi/local app context to your self managed application context. for example project-x_itsi_addon. Then promote the configurations from this app to a higher environment. 

I am not 100% how the adaptive thresholds search would act if you try migrate that one this way so be a bit extra careful with those. 

In general it's also good practice to maintain your KPI searches and Correlation searches in your separate application context. You can there after use a reference to a savedsearch in the ITSI KPI/KPI Base/Correlation searches with "| savedsearch my_saved_search_from_app_1" Note that the my_saved_search_from_app_1 needs to be shared globally.  This will enable you to promote KPI search changes to another Splunk environment from your custom app context without needing to restore a ITSI backup. 

 /Seb

 

 

0 Karma

vinothnaga
Explorer

@srauhala_splunk thank you for your response.

do you have any thoughts on my 2nd question..is there any way exclude the entities promotion as part of the backup and restore.

Tags (1)
0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

@vinothnaga  If you do a partial backup the entities will not be included. Try it out! You can also unzip the backups to have a look what is included. 

 

/Seb 

0 Karma

vinothnaga
Explorer

Hi @srauhala_splunk ,

one last question is there any way to exclude the entities while doing full backup ..

and is there any splunk documentation available related to this additional best practices related to splunk ITSI backup and recovery (which you suggested right like maintaining the savedsearches in a separate folder.

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

@vinothnaga no not to my knowledge. Think your best option is partial backup. 

Not that I know of,  since this is in regards to configure ITSI to be easier to migrate to another environment, not part of ITSI best practice itself.  Here you can find some useful information on ITSI in general https://www.splunk.com/pdfs/getting-started/splunk-getting-started-with-itsi.pdf  

/Seb 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...