Splunk ITSI

Splunk ITSI : Lost backup files on /var/itsi/backups

Master_Blaster
Explorer

Hello,

We were using ITSI  4.3.1. as it had some issues, we decided to uninstall & freshly install 4.7.2. 

We took backup of current configuration using "create backup job"  on ITSI GUI. And, I verified that, we had backup jobs stored on /var/itsi/backups directory on respective search head server.

However, after installing 4.7.2 i can't see any backup jobs available on respective directory. it got overwritten by 4.7.2 backups as below.

[root@server backups]# pwd
/opt/splunk/var/itsi/backups
[root@server backups]# ls
ItsiDefaultScheduledBackup-1620340301.zip
ItsiDefaultScheduledBackup-1620343842.zip

 

Is there any way to retrieve full & partial backups which we took on earlier version (4.3.2) as we had all our services, KPI's there and we don't have any other backups taken for same ?

Thanks in advance for your support. 

Labels (3)
0 Karma

yannK
Splunk Employee
Splunk Employee

ITSI default backups do rotate, 

- in older versions the last one was overwritten

- since 4.3 and later, the last 7 are kept. and the file name changed too include the date.
see https://docs.splunk.com/Documentation/ITSI/4.3.0/ReleaseNotes/Newfeatures

The backups you have seems to be in the new format.

I do not know why the older ones are gone, is it a bug, did you clean up the folder during the reinstall ?
if you wiped the kvstore, it's possible that the record of the backups was lost, and the old files cleaned up ?

0 Karma

Master_Blaster
Explorer

@somesoni2 @woodcock Please help

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...