Skip to main content
Version: Next

Backup and Restore

Backup

It is recommended to regularly back up all the data used by Alert Manager Enterprise.

A complete backup consists of several parts:

App Backup

It is recommended that a full backup of the app directory be done on $SPLUNK_HOME/app/alert_manager_enterprise.

For Searchhead-Cluster-Environments it is sufficient to backup the data on a single cluster node.

Config File Backup

Customization to the configuration resides in $SPLUNK_HOME/app/alert_manager_enterprise/local. Note that necessary saved searches can also reside within other apps!

Index Backup

All important data is written to Splunk Indexes. Make sure to backup the default tenant index and any additional tenant indexes.

KV Store Backup

The events and their states are stored in multiple KV Store collections (all have a prefix of ame_).

Please follow the Splunk Admin Manual how to back up the KV Store.

Example:

  1. In the CLI, run the splunk show kvstore-status command.
  2. Ensure that the backupRestoreStatus field and the status field are both in the ready state.
  3. (Optional) Create a separate partition for your backup directory so that the backup is preserved if the $SPLUNK_DB/kvstore directory fails.
  4. Use the splunk backup kvstore -pointInTime true command from any search head. This creates an archive file in the $SPLUNK_DB/kvstorebackup directory. You must use the command's -pointInTime true option to back up consistently.

Note that with the `pointInTime Option, it's impossible to backup single Collections, but a consistent backup is created as a benefit.

Restore

App Restore

Doing a full restore of Alert Manager Enterprise starts by restoring the app and the config files.

Config File Restore

Ensure the restored config files are placed under $SPLUNK_HOME/app/alert_manager_enterprise/local.

Index Restore

Make sure all indexed data is restored again.

KV Store Restore

Restore all ame_ indexes by following the Splunk Admin Manual

info

Depending on the state of the KV Store collection, decide if a full restore of all KV Store Collections is needed (with the option pointInTime) or if you only need to restore AME indexes one by one.