Splunk® App for Content Packs

Overview of the Splunk App for Content Packs

This documentation does not apply to the most recent version of Splunk® App for Content Packs. For documentation on the most recent version, go to the latest release.

Install the Splunk App for Content Packs

To access the content packs on the Data Integrations page of ITSI or IT Essentials Work, you have to install the Splunk App for Content Packs. You can install the Splunk App for Content Packs on your Splunk Cloud Platform or on-premises environment. The Splunk App for Content Packs is compatible with ITSI and IT Essentials Work on Splunk Cloud Platform.

Install the Splunk App for Content Packs on a Splunk Cloud Platform environment

The Splunk App for Content Packs is compatible with ITSI and IT Essentials Work on Splunk Cloud Platform. Splunk Cloud Platform customers can file a case requesting the Splunk App for Content Packs. Use the Splunk Support Portal at Support and Services or contact Splunk Customer Support. You can install the Splunk App for Content Packs on single-instance and distributed deployments.

Install the Splunk App for Content Packs on a single, on-premises environment

At this time, you can't install the Splunk App for Content Packs from the Splunk Web interface.

Follow these steps to install the Splunk App for Content Packs on a single, on-premises Splunk Enterprise environment.

  1. Download the Splunk App for Content Packs from Splunkbase.
  2. Put the downloaded file splunk-app-for-content-packs_<latest_version>.spl into $SPLUNK_HOME/etc/apps.
  3. Stop your Splunk platform deployment. For example:
    cd $SPLUNK_HOME/bin
    ./splunk stop
    
  4. Extract the installation package into $SPLUNK_HOME/etc/apps. For example:
    tar -xvf splunk-app-for-content-packs_<latest_version>.spl -C $SPLUNK_HOME/etc/apps
    

    On Windows, rename the file extension from .spl to .tgz first and use a third-party utility to perform the extraction.

    The extracted directories have the following naming convention DA-ITSI-CP-<contentpack> and DA-ITSI-ContentLibrary.

  5. Start your Splunk platform deployment. For example:
    cd $SPLUNK_HOME/bin
    ./splunk start
    

Install the Splunk App for Content Packs on a search head cluster environment

Follow these steps to to install the Splunk App for Content Packs on a search head cluster Splunk Enterprise environment.

  1. Download the Splunk App for Content Packs from Splunkbase.
  2. On the deployer, extract the Splunk App for Content Packs installation package into the $SPLUNK_HOME/etc/shcluster/apps directory. For example:
    tar -xvf splunk-app-for-content-packs_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps
    
  3. From the deployer, run the following command to deploy IT Essentials Work to the cluster members:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    

    Note the following:

    • The -target parameter specifies the URI and management port for any member of the cluster, for example, https://10.0.1.14:8089. You specify only one cluster member but the deployer pushes to all members. This parameter is required.
    • The -auth parameter specifies credentials for the deployer instance.

    For more information on deploying a configuration bundle, see Deploy a configuration bundle in the Splunk Enterprise Distributed Search Manual.

Install the Splunk App for Content Packs on a distributed environment

You can install the Splunk App for Content Packs on any distributed Splunk Enterprise environment.

Where to install the Splunk App for Content Packs

Splunk instance type Supported Required Actions required
Search heads Yes Yes Install the Splunk App for Content Packs on all search heads. Search heads have to be running a compatible version of Splunk Enterprise. For compatible versions, see the compatibility matrix.
Indexers Yes No The Splunk App for Content Packs doesn't require indexers.
License master Yes No The Splunk App for Content Packs doesn't require a license master component.
Heavy forwarders Yes No The Splunk App for Content Packs doesn't contain a data collection component.
Universal forwarders Yes No The Splunk App for Content Packs doesn't contain a data collection component.

After installation of the Splunk App for Content Packs

Following a brand-new installation of the Splunk App for Content Packs, do the following:

First, create lookup files required by the Content Pack for ITSI Monitoring and Alerting:

  1. From the navigation bar within IT Service Intelligence (ITSI) or IT Essentials Work, go to Settings > Searches, Reports, and Alerts
  2. Choose Content Pack for Monitoring and Alerting with owner as nobody
  3. Enable and run the search:
    CPMA-Lookups-Init

Next, remove the benign error related to Could not load lookup=LOOKUP-dropdowns:

  1. Go to Settings > Searches, Reports, and Alerts
  2. Choose Content Pack for Unix Dashboards and Reports with owner as nobody
  3. Enable and run the search:
    dropdowns_lookup_migrate
  4. You can disable the search if you are not using the Content Pack for Unix Dashboards and Reports.

You get an error when you run the saved search dropdowns_lookup_migrate for the first time because '''savedsearch''' initially tries to find lookup dropdown.csv which is not present in the environment. This error occurs only once and can be ignored, because lookup is created after running the search

Remove the benign error related to Eventtype 'wineventlog-ds' does not exist or is disabled:

  1. Install Splunk Add-on for Microsoft Windows to remove this error.
Last modified on 07 February, 2024
Upgrade Splunk App for Content Packs to version 2.x   Migrate from legacy apps to content packs

This documentation applies to the following versions of Splunk® App for Content Packs: 2.0.0, 2.0.1, 2.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters