Migrate from the Content Pack for Splunk Infrastructure Monitoring to the Content Pack for Splunk Observability Cloud
The Content Pack for Splunk Infrastructure Monitoring was replaced by the Content Pack for Splunk Observability Cloud in version 1.4.0 of the Splunk App for Content Packs. If you were using the Content Pack for Splunk Infrastructure Monitoring, follow these steps to migrate to the Content Pack for Splunk Observability Cloud.
Prerequisite
Create a full backup of your ITSI environment. For more information, see Create a full backup in the Administration Manual.
Step 1: Disable the content pack app
- Go to Apps > Manage Apps
- Search for "Splunk Infrastructure Monitoring".
- Locate Folder Name: DA-ITSI-CP-splunk-infra-monitoring and select Disable under Status.
Disabling the app will also disable the saved entity searches.
Step 2: Remove Content Pack for Splunk Infrastructure Monitoring objects
There are two options to remove the content pack objects:
- Remove through the ITSI user interface.
- Use REST API calls. This approach is faster.
Option 1: Remove the Content Pack for Splunk Infrastructure Monitoring objects through the ITSI user interface
Step 1: Remove the Content Pack for Splunk Infrastructure Monitoring entities
- From the ITSI menu go to Configuration > Entities.
- Under Advanced Filter create this filter rule. Repeat for each filter value listed:
- Filter: info
- Field name: entity_type
- Field values: AWS EC2, AWS Lambda, Azure Functions, Azure Virtual Machines, GCP Cloud Functions, GCP Compute Engine.
- Select all entities and select Bulk Action > Delete selected.
The list of entities is paginated. Be sure to delete all entities.
Step 2: Remove the Content Pack for Splunk Infrastructure Monitoring entity types
- From the ITSI menu go to Configuration > Entities.
- Go to the Entity Type tab.
- For each of these entity types, select Edit > Delete.
- AWS EC2
- AWS Lambda
- Azure Functions
- Azure Virtual Machines
- Google Cloud Functions
- Google Compute Engine
- Splunk Infrastructure Monitoring
Step 3: Remove the Content Pack for Splunk Infrastructure Monitoring services
- From the ITSI menu go to Configuration > Services.
- Select Edit > Delete for each of these services and any others you might have created:
- AWS
- AWS EC2
- AWS Lambda
- Azure
- Azure Functions
- Azure VM
- Cloud
- GCP
- Google Cloud Functions
- Google Compute Engine
Step 4: Remove the Content Pack for Splunk Infrastructure Monitoring KPI base searches
- From the ITSI menu go to Configuration > KPI Base Searches.
- Search for "SIM".
- Select Edit > Delete for each of these KPI base searches and any others you might have created:
- SIM:Cloud.AWS_EC2
- SIM:Cloud.AWS_Lambda_Cloudwatch
- SIM:Cloud.Azure_Functions
- SIM:Cloud.Azure_VM
- SIM:Cloud.GCP_Compute
- SIM:Cloud.GCP_Functions_Stackdriver
Step 5: Remove the Content Pack for Splunk Infrastructure Monitoring aggregation policies
- From the ITSI menu go to Configuration > Notable Event Aggregation Policies.
- Search for "SIM".
- Select Edit > Delete for each of these correlation searches and any others you might have created:
- SIM AWS EC2 Alerts
- SIM Azure VM Alerts
- SIM GCP Compute Engine Alerts
Option 2: Use REST API calls to remove the Content Pack for Splunk Infrastructure Monitoring objects
If you have a lot of entities, deleting objects via the API is faster.
For each REST API call, use GET to verify only the desired objects are returned for the Content Pack for Splunk Infrastructure Monitoring. The REST API calls should be made in order. For information on the Splunk ITSI REST API, see the ITSI REST API Reference manual.
- Verify the Content Pack for Splunk Infrastructure Monitoring entities.
curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity/?filter={"entity_type_ids":{"$regex":"da-itsi-cp-splunk-infra-monitoring.*"}}'
- Remove the Content Pack for Splunk Infrastructure Monitoring entities.
curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity/?filter={"entity_type_ids":{"$regex":"da-itsi-cp-splunk-infra-monitoring.*"}}'
- Verify the Content Pack for Splunk Infrastructure Monitoring entity types.
curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_entity_type?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
- Remove the Content Pack for Splunk Infrastructure Monitoring entity type.
curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_entity_type?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
- Verify the Content Pack for Splunk Infrastructure Monitoring services, KPIs, and KPI base searches.
curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
- Remove the Content Pack for Splunk Infrastructure Monitoring services, KPIs, and KPI base searches.
curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
- Verify the Content Pack for Splunk Infrastructure Monitoring Notable Event Aggregation Policies.
curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_notable_event_aggregation_policy?query={"_key":{"$regex":"(?i)^da-itsi-cp-splunk-infra-monitoring-sim"}}'
- Remove the Content Pack for Splunk Infrastructure Monitoring Notable Event Aggregation Policies.
curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_notable_event_aggregation_policy?query={"_key":{"$regex":"(?i)^da-itsi-cp-splunk-infra-monitoring-sim"}}'
Step 3: Remove the Content Pack for Splunk Infrastructure Monitoring correlation searches
- From the ITSI menu go to Configuration > Correlation Searches.
- Search for "Splunk Infrastructure Monitoring Events".
- Select Edit > Delete for each of these correlation searches and any others you might have created:
- Splunk Infrastructure Monitoring Events AWS EC2 Search
- Splunk Infrastructure Monitoring Events Azure VM Search
- Splunk Infrastructure Monitoring Events GCP Compute Engine Search
Step 4: Install the Content Pack for Splunk Observability Cloud
Once you have deleted all the objects from the Content Pack for Splunk Infrastructure Monitoring, you can install the Content Pack for Observability Cloud. See the Install and configure the Content Pack for Splunk Observability Cloud topic for installation steps.
Use the Content Pack for Splunk Observability Cloud | Migrate from CPSyntheticMon to CPObservability |
This documentation applies to the following versions of Content Pack for Splunk Observability Cloud: 3.3.0
Feedback submitted, thanks!