Install the Splunk ITSI Module for Cloud Services onto your ITSI deployment

Install the Splunk ITSI Module for Cloud Services on every Splunk platform instance that has ITSI installed.

Install on a single instance

You can install the Splunk ITSI Module for Cloud Services on a single Splunk platform instance. In a single-instance deployment, a single Splunk platform instance serves as both search head and indexer.

1. Download the DA-ITSI-Cloud-1.0.0.spl installation package.
2. Stop splunk.

   cd $SPLUNK_HOME/bin
   ./splunk stop
   

3. Extract the package into $SPLUNK_HOME/etc/apps.

   tar -xvf DA-ITSI-Cloud-1.0.0.spl -C $SPLUNK_HOME/etc/apps
   

4. Start splunkd.

   cd $SPLUNK_HOME/bin
   ./splunk start
   

Install the ITSI Module for Cloud Services in a distributed environment

You can install ITSI in any distributed Splunk platform environment. For more information on distributed Splunk platform environments, see Distributed deployment in this manual.

Install on search heads

1. Copy the ITSI install package to all search heads.

   scp DA-ITSI-Cloud-1.0.0.spl username@remotehost.com:$SPLUNK_HOME/etc/apps
   

2. Untar the install package.

   tar -xvf DA-ITSI-Cloud-1.0.0.spl
   

3. Restart splunkd.

   cd $SPLUNK_HOME/bin
   ./splunk restart
   

Install the Cloud Services Module on a search head cluster

ITSI versions 2.1.0 and later support search head clusters.

When deploying ITSI to a search head cluster in a production environment, note the following:

• The deployer distributes all apps and permissions to search head cluster members. The deployer is a Splunk platform instance that stands outside the cluster. The deployer cannot run on the same instance as another cluster member. See Parts of a search head cluster in the Distributed Search manual.

Prerequisites

Before you deploy ITSI to a search head cluster, make sure your Splunk platform deployment includes:

• An existing search head cluster, including a minimum of 3 search heads, any number of search peers (indexers), and a deployer server. See Deploy a search head cluster in the Distributed Search manual.

Install the Cloud Services Module on the deployer

The first step is to install the Cloud Services Module on the deployer in the shcluster/apps directory.

1. Create a temporary directory for unzipping the data.
2. Move the DA-ITSI-Cloud-1.0.0.spl file to this directory.
3. Extract the installation file.
4. Copy all files included in the installation package from the temp location to $SPLUNK_HOME/etc/shcluster/apps/. For example:

   mkdir /tmp/itsi
   mv DA-ITSI-Cloud-1.0.0.spl /tmp/itsi
   cd /tmp/itsi
   tar -xvf DA-ITSI-Cloud-1.0.0.spl
   cp -R * $SPLUNK_HOME/etc/shcluster/apps/
   

Deploy the configuration bundle to the cluster

The next step is to push the configuration bundle from the deployer to search head cluster members.

Caution: Do not deploy a bundle from any instance other than the deployer. Running the apply shcluster-bundle command on a non-deployer instance, such as a cluster member, will delete all existing apps and user generated content on all search head cluster members!

1. On the deployer, under $SPLUNK_HOME/etc/shcluster/apps, create a subdirectory auth_itsi/local.

   cd $SPLUNK_HOME/etc/shcluster/apps
   mkdir auth_itsi/local
   

2. Copy the authentication.conf file from $SPLUNK_HOME/etc/system/local/ to $SPLUNK_HOME/etc/shcluster/apps/auth_itsi/local.

   cd $SPLUNK_HOME/etc/system/local/
   cp authentication.conf $SPLUNK_HOME/etc/shcluster/apps/auth_itsi/local
   

3. Run the splunk apply shcluster-bundle command on the deployer.

   splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
   

   
   The -target parameter (required) specifies the URI and management port for any member of the cluster. For example: https://10.0.1.14:8089. Though you specify a single cluster member only, the deployer pushes the URI and management port to all members.
   The -auth parameter specifies credentials for the deployer instance. This pushes everything contained in the shcluster/ directory (including the ITSI app, all SAs, and any LDAP configurations) from the deployer to each search head cluster member.

Note: For user access controls to work properly across the search head cluster, the same user with the same roles or capabilities must exist on all search heads. To do this, you can use authentication.conf to push LDAP configurations to each cluster member (as described in the previous section), or manually copy the LDAP configuration to each search head cluster member.

For more information, see Deploy a configuration bundle in the Distributed Search manual.

Configure search head cluster members to forward data

It is considered a best practice to forward data from search heads to the indexer layer. For instructions on how to configure search head cluster members to forward data, see Forward data from search head cluster members in the Distributed Search manual.

Propagate modular inputs for CSV import to a cluster

If you save a modular input for CSV import on a search head, the modular input applies to that search head only. To propagate the modular input to other search heads in the cluster, you must use the deployer. For more information, see Create a modular input for CSV import in this manual.