Plan your ITE Work deployment
Deploy Splunk IT Essentials Work (ITE Work) on a configured Splunk platform installation. Review the system and hardware requirements and the search head and indexer considerations before deploying ITE Work.
Available on-premises deployment architectures
You can deploy ITE Work in a single-instance deployment or a distributed-search deployment. Before you deploy ITE Work on premises, familiarize yourself with the components of a Splunk platform deployment. See Components of a Splunk Enterprise deployment in the Capacity Planning Manual.
Consider the following guidelines when implementing a search head cluster:
Single-instance deployments
For a simple, small deployment, install ITE Work on a single Splunk platform instance. A single instance functions as both a search head and an indexer. Use forwarders to collect your data and send it to the single instance for parsing, storing, and searching.
You can use a single-instance deployment for a lab or test environment, or a small system with one or two users running concurrent searches. For instructions on installing ITE Work on a single Splunk Enterprise instance, see Install ITE Work on a single instance.
ITE Work is also available as a service in Splunk Cloud Platform. The Splunk Cloud Platform deployment architecture varies based on data and search load. Splunk Cloud Platform customers work with Splunk Support to set up, manage, and maintain their cloud infrastructure. For information on Splunk Cloud Platform deployments, see Splunk Cloud Platform deployment types in the Splunk Cloud Platform Admin Manual.
Distributed deployments
You can deploy ITE Work across any distributed architecture supported by Splunk Enterprise. This includes all types of deployment topologies, from small departmental deployments using a single instance for both indexer and search head, to large enterprise deployments using several search heads, dozens of indexers, and hundreds of forwarders. See Types of distributed deployments in the Splunk Enterprise Distributed Deployment Manual.
- For information about installing ITE Work in a distributed environment, see Where to install ITE Work in a distributed environment.
- Improve search performance by using an index cluster and distributing the workload of searching data across multiple nodes. Using multiple indexers allows both the data collected by the forwarders and the workload of processing the data to be distributed across the indexers.
- Use forwarders to collect your data and send it to the indexers.
In a distributed-search deployment, and to implement search head clustering, configure the search head to forward all data to the indexers. See Best practice: Forward search head data to the indexer layer in the Splunk Enterprise Distributed Search manual.
To scale your distributed-search deployment with ITE Work, see Introduction to capacity planning for Splunk Enterprise in the Capacity Planning Manual and Indexer and search head sizing examples.
Splunk Cloud Platform deployments
ITE Work is available as a service in Splunk Cloud Platform. The Splunk Cloud Platform deployment architecture varies based on data and search load. Splunk Cloud Platform customers have to work with Splunk Support to set up, manage, and maintain their cloud infrastructure. For information on Splunk Cloud Platform deployments, see Splunk Cloud Platform deployment types in the Splunk Cloud Platform Admin Manual. Splunk Cloud Platform customers have to work with Support to install ITE Work. To file a ticket on the Splunk Support Portal, see Support and Services.
Splunk Enterprise system requirements
ITE Work requires a 64-bit OS install on all search heads and indexers. For a list of supported operating systems, browsers, and file systems, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.
Use this table to determine the compatibility of the ITE Work versions and Splunk platform versions. Cloud-only versions of ITE Work aren't listed on this table. To determine compatibility with Splunk Cloud Platform versions, see Splunk Cloud Platform system requirements.
Splunk IT Essentials Work version | Splunk platform version |
---|---|
4.17.x | 9.1.x |
9.0.x | |
4.17.0 | 9.0.x |
4.15.x | 9.0.x |
8.2.x | |
8.1.x | |
4.13.x | 9.0.x |
8.2.x | |
8.1.x |
Splunk Cloud Platform system requirements
Use this table to determine the compatibility of the ITE Work versions and Splunk Cloud Platform versions.
Splunk IT Essentials Work version | Splunk Cloud Platform version |
---|---|
4.18.x | 9.0.2305.20x, 9.0.2303.202, 9.0.2303.101, 9.0.2305.100, 9.0.2209 |
4.17.x | 9.0.2303.200, 9.0.2303.101, 9.0.2209 |
4.16.x (Cloud only) | 9.0.2209, 9.0.2208 |
4.15.x | 9.0.2209, 9.0.2208, 9.0.2205 |
8.2.2203, 8.2.2201 | |
4.14.x (Cloud only) | 9.0.2209, 9.0.2208, 9.0.2205 |
8.2.2203, 8.2.2202 | |
4.13.x | 9.0.2209, 9.0.2208, 9.0.2205 |
8.2.2203, 8.2.2202, 8.2.2201 |
Hardware requirements
CPU core count and RAM are critical factors in indexer and search head performance. ITE Work requires minimum hardware specifications that you increase according to your needs and usage of ITE Work. These specifications also apply for a single instance deployment of ITE Work.
A search head in this case refers to a dedicated ITE Work search head infrastructure. If ITE Work shares a search head with other applications, you need additional resources beyond 16 cores and 12 GB of RAM.
Machine role | Minimum CPU | Minimum RAM |
---|---|---|
Search head | 16 cores required, 24+ recommended | 12 GB required, 16+ recommended |
Indexer | 16 cores | 32 GB |
Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest and parse data efficiently while responding to search requests. For the latest requirements to run Splunk Enterprise, see Reference Hardware: Indexer in the Splunk Enterprise Capacity Planning Manual.
You might need to increase the hardware specifications of your own ITE Work deployment above the minimum hardware requirements depending on your environment. Depending on your system configuration, see the mid-range or high-performance specifications for Splunk platform reference hardware. See Mid-range specification and High-performance specification in the Splunk Enterprise Capacity Planning Manual.
If the number of indexer CPU cores in your deployment exceeds the minimum hardware specifications, you can implement one of the parallelization settings to improve the indexer performance for specific use cases. See Parallelization settings in the Capacity Planning Manual.
Operating system requirements
For a list of supported operating systems, browsers, and file systems, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.
Ubuntu
When installing ITE Work on Ubuntu, use Bash shell. Don't use Dash shell as it can result in defunct processes.
Search-head considerations
ITE Work doesn't require a dedicated search head. However, ITE Work isn't supported on the same search head as Splunk Enterprise Security.
Virtual machines
When running a search head on a virtual machine, make sure to allocate all available CPU and RAM to the search head.
Search-head clustering
Search head clusters increase the search load on indexers. Add more indexers or allocate additional CPU cores to the indexers when implementing a search head cluster. See System requirements and other deployment considerations for search head clusters and Search head clustering architecture in the Distributed Search Manual.
Search-head scaling considerations for ITE Work
Consider the following guidelines when implementing a search head cluster:
Factor | Increase this specification |
---|---|
A large number of concurrent searches | Increase CPU cores Increase RAM |
A large number of real-time searches A large number of users logging in at the same time |
Increase CPU cores |
For instructions on deploying ITE Work in a search head cluster environment, see Install ITE Work in a search head cluster environment.
Indexer-clustering support
ITE Work supports both single-site and multisite indexer-cluster architectures. See The basics of indexer cluster architecture and Multisite indexer cluster architecture in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
A single-site or multisite indexer-cluster architecture can have one search head or one search head cluster with a running instance of ITE Work. Additional single-instance search heads can't run ITE Work unless you make specific configuration changes.
For a multisite indexer cluster architecture, do the following:
- Enable summary replication. See Replicated summaries in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
- Set the ITE Work search head to
site0
to disable search affinity. See Disable search affinity in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
If you use indexer clustering, the method you use to deploy apps and configuration files to indexer peers is different. See Manage common configurations across all cluster peers and Manage app deployment across all cluster peers in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Real-time search requirements
ITE Work uses an indexed real-time search in place of the default real-time search. Indexed real-time searches allow your real-time searches to run after the events are indexed, which improves indexing performance. You can change this default setting in indexes.conf with no negative effects. For instructions, see Indexed real-time search in the Splunk Enterprise Search Manual.
By default, only users with the admin role can run and save real-time searches. For more information on managing roles and assigning them to users, see Create and manage roles with Splunk Web in the Securing the Splunk Platform manual.
SSL requirements
An SSL configuration is required to run ITE Work. You must enable SSL on the splunkd port, port 8089, in order for certain utilities and scripts to function, including the following:
- kvstore_to_json.py
- command_check_for_kvstore_size.py
- disable_enable_itsi.py
- itsi_reset_default_team.py
- Migration and upgrade
To secure your Splunk Enterprise deployment with SSL, see About securing Splunk Enterprise with SSL.
Search macros in ITE Work
ITE Work uses search macros to simplify and consolidate lengthy searches. You can view a complete list of search macros used in ITE Work, including macro definitions and usage details in macros.conf. For more information on search macros, see Use search macros in searches in the Splunk Enterprise Knowledge Manager Manual.
HTTP event collector
ITE Work uses HTTP Event Collector (HEC) for event management. HEC runs as a separate app called splunk_httpinput
and stores its input configuration in $SPLUNK_HOME/etc/apps/splunk_httpinput/local
.
HEC requires that port 8088 be open for local traffic. You do not need any additional HEC configuration.
For more information about HTTP Event Collector, see Set up and use HTTP Event Collector in Splunk Web in the Splunk Enterprise Getting Data In manual.
Compatibility with other apps
Don't install ITE Work and Splunk Enterprise Security on the same search head or search head cluster. With the exception of Enterprise Security, you can deploy ITE Work on Splunk Enterprise instances with other Splunk apps.
Preparation for deployment
Before you deploy ITE Work, follow these steps:
- Compile a list of your entities. Entities are usually hosts, but can also be users, mobile devices, and so on. Entities for hosts must include, at a minimum, the IP address, host name, and designated role. For example, web, db, or app server.
- Make sure your ITE Work instance includes the default admin user. Deleting or renaming this user breaks ITE Work installation and operation.
- Verify your existing hardware performance using the following search query:
If the query takes more than 2-5 seconds to complete, check performance in the job inspector to investigate the issue. Slowness might indicate your current hardware is insufficient or needs reconfiguration. You might have a high-latency dispatch that requires architecture changes.index=_introspection sourcetype=splunk_resource_usage component=Hostwide earliest=-5m | timechart avg(data.cpu_user_pct) by host
- Confirm Splunk Enterprise version compatibility. See the Splunk products version compatibility matrix.
For a comprehensive evaluation of your environment, consult Splunk Professional Services or your support representative.
Install Splunk IT Essentials Work on a single on-premises instance |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.16.0 Cloud only, 4.17.0, 4.17.1
Feedback submitted, thanks!