Skip to main content
 
 
 
Splunk Lantern

Cleaning up backup file directories

 

This task cleans out the backup directory of the Splunk User Behavior Analytics (UBA) cluster to ensure that the incremental UBA backups do not fill up the node disk and subsequently compromise cluster functionality. This procedure is valid as of UBA version 5.3.0.

This article is part of the Splunk User Behavior Analytics Owner's Manual, which describes the recommended ongoing maintenance tasks that the owner of a UBA implementation should ensure are performed to keep their implementation functional. To see more maintenance tasks, click here to see the complete manual.

Why is this important?

Splunk User Behavior Analytics performs automated incremental backups of configuration state and anomaly and threat findings. These backup snapshots are written to the local disk on the primary node of the UBA cluster. There is no automated process for aging these snapshots out, which means that over time the backup directory can fill up, eventually fully utilizing the disk on the cluster node and compromising the performance of the UBA cluster.

Schedule

Every month

Prerequisites

  • This procedure requires CLI access to all nodes of the UBA cluster.
  • This procedure requires local privileged account access to all nodes of the UBA cluster.

Notes and warnings

  • This procedure uses a wildcard remove command. Be very careful in applying this command, as the incorrect application of the command can severely damage or destroy the underlying OS of the UBA node.
  • This procedure deletes all backup set points before the current backup. Make sure to confirm that these previous backups will not be required before they are deleted.

Procedure

  1. Log in to the Splunk User Behavior Analytics server as the caspida user. For a multi-node UBA environment, log in to the management node.
  2. Check if there are any backup files to be deleted by running the following command:
    ls -la /backup/delete/
  3. If files are listed in the /backup/delete/ folder, delete the contents of the backup delete directory with the following command:
    rm -rf /backup/delete/*

Next steps

This resource might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.