Splunk IT Service Intelligence

Splunk ITSI : Lost backup files on /var/itsi/backups



We were using ITSI  4.3.1. as it had some issues, we decided to uninstall & freshly install 4.7.2. 

We took backup of current configuration using "create backup job"  on ITSI GUI. And, I verified that, we had backup jobs stored on /var/itsi/backups directory on respective search head server.

However, after installing 4.7.2 i can't see any backup jobs available on respective directory. it got overwritten by 4.7.2 backups as below.

[root@server backups]# pwd
[root@server backups]# ls


Is there any way to retrieve full & partial backups which we took on earlier version (4.3.2) as we had all our services, KPI's there and we don't have any other backups taken for same ?

Thanks in advance for your support. 

Labels (3)
0 Karma

Splunk Employee
Splunk Employee

ITSI default backups do rotate, 

- in older versions the last one was overwritten

- since 4.3 and later, the last 7 are kept. and the file name changed too include the date.
see https://docs.splunk.com/Documentation/ITSI/4.3.0/ReleaseNotes/Newfeatures

The backups you have seems to be in the new format.

I do not know why the older ones are gone, is it a bug, did you clean up the folder during the reinstall ?
if you wiped the kvstore, it's possible that the record of the backups was lost, and the old files cleaned up ?

0 Karma


@somesoni2 @woodcock Please help

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...