Backup and Restore
Regularly back up all data used by Alert Manager Enterprise (AME) to ensure data integrity and disaster recovery readiness. A complete backup includes app configurations, Splunk indexes, KV Store collections, and aligns with event retention and tenant backup settings.
Backup Overview
Perform regular backups to protect AME data, including configurations, events, and tenant settings. A complete backup comprises:
App and Configuration Backup
- App Directory: Back up the entire directory at
$SPLUNK_HOME/etc/apps/alert_manager_enterprise. For Search Head Cluster environments, back up data from a single cluster node. - Config Files: Save custom configurations from
$SPLUNK_HOME/etc/apps/alert_manager_enterprise/local. Note that essential saved searches may reside in other apps.
Index Backup
Most AME data, excluding configurations, is stored in Splunk indexes. Ensure you back up:
- The default tenant index (
ame_default). - Any additional tenant-specific indexes.
KV Store Backup
AME stores event data, states, and configurations in KV Store collections prefixed with ame_. Follow the Splunk Admin Manual for backup instructions:
- From the CLI, run
splunk show kvstore-statusto check status. - Confirm
backupRestoreStatusandstatusboth show "ready". - (Optional) Use a separate partition for the backup directory to safeguard against
$SPLUNK_DB/kvstorefailures. - Run
splunk backup kvstore -pointInTime truefrom any search head to create a consistent archive in$SPLUNK_DB/kvstorebackup.
The -pointInTime true option ensures a consistent backup but prevents backing up individual collections.
Event Retention
Event retention settings control how long events remain in a tenant’s KV Store, affecting backup scope. Configure retention in tenant settings to balance storage and accessibility (see Tenants).
Align event retention with Splunk index retention to avoid inconsistencies. Mismatched settings may render events inaccessible in indexes while still present in KV Store, complicating restores.
Tenant Configuration Backup
AME automatically backs up tenant-specific configuration collections daily into the tenant’s index, ensuring protection of settings like templates and notifications. This enables restoring all tenant data or specific collections via the Configuration > Backup section.
See System Configurations for details.
Backup Types
- Full Backup: Captures all AME data for comprehensive recovery:
| Component | Description |
|---|---|
| App Directory | Entire $SPLUNK_HOME/etc/apps/alert_manager_enterprise directory |
| Configuration Files | Custom configs in $SPLUNK_HOME/etc/apps/alert_manager_enterprise/local |
| Indexes | All tenant indexes (e.g., ame_default) |
| KV Store Collections | All ame_ prefixed collections (events, states, configs) |
- AME Config Backup: Focuses on tenant-specific configurations for frequent, lightweight protection:
| Component | Description |
|---|---|
ame_notification_templates | Notification templates |
ame_notification_targets | Notification targets |
ame_resolutions | Resolution definitions |
ame_tenants | Tenant configurations |
ame_templates | Event templates |
ame_statusoptions | Status options |
ame_notifications | Notification schemes |
ame_savedfilters | Saved filters |
Use full backups for disaster recovery and AME config backups for regular, lightweight protection of tenant configurations.
Restore Overview
Restore AME data by following these steps for each component, ensuring data consistency and minimal downtime.
App and Configuration Restore
- App Restore: Restore the app directory to
$SPLUNK_HOME/etc/apps/alert_manager_enterprise. - Config File Restore: Place restored config files in
$SPLUNK_HOME/etc/apps/alert_manager_enterprise/local.
Index Restore
Restore all indexed data (e.g., ame_default and tenant indexes) to their original state using Splunk procedures.
KV Store Restore
Restore all ame_ prefixed KV Store collections using the Splunk Admin Manual.
Perform a full KV Store restore with -pointInTime true for consistency, or restore individual ame_ collections as needed. Use tenant backup options for tenant-specific configurations.
Tenant Configuration Restore
Restore tenant-specific configurations via the Configuration > Backup section in AME.
See System Configurations for details how to restore AME configuration.
Exercise caution when restoring backups, as selecting an incompatible version may break object references.