Splunk ITSI

Splunk ITSI : Lost backup files on /var/itsi/backups

Master_Blaster
Explorer

Hello,

We were using ITSI  4.3.1. as it had some issues, we decided to uninstall & freshly install 4.7.2. 

We took backup of current configuration using "create backup job"  on ITSI GUI. And, I verified that, we had backup jobs stored on /var/itsi/backups directory on respective search head server.

However, after installing 4.7.2 i can't see any backup jobs available on respective directory. it got overwritten by 4.7.2 backups as below.

[root@server backups]# pwd
/opt/splunk/var/itsi/backups
[root@server backups]# ls
ItsiDefaultScheduledBackup-1620340301.zip
ItsiDefaultScheduledBackup-1620343842.zip

 

Is there any way to retrieve full & partial backups which we took on earlier version (4.3.2) as we had all our services, KPI's there and we don't have any other backups taken for same ?

Thanks in advance for your support. 

Labels (3)
0 Karma

yannK
Splunk Employee
Splunk Employee

ITSI default backups do rotate, 

- in older versions the last one was overwritten

- since 4.3 and later, the last 7 are kept. and the file name changed too include the date.
see https://docs.splunk.com/Documentation/ITSI/4.3.0/ReleaseNotes/Newfeatures

The backups you have seems to be in the new format.

I do not know why the older ones are gone, is it a bug, did you clean up the folder during the reinstall ?
if you wiped the kvstore, it's possible that the record of the backups was lost, and the old files cleaned up ?

0 Karma

Master_Blaster
Explorer

@somesoni2 @woodcock Please help

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...