Content Pack for ITSI Monitoring and Alerting

Content Pack for ITSI Monitoring and Alerting

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Content Pack for ITSI Monitoring and Alerting. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Upgrade from a previous version of the Content Pack for ITSI Monitoring and Alerting to v2.2.0

If you have an earlier version of the content pack installed, you can upgrade to this version, but ease of upgrade depends in part on which earlier version you are upgrading from. Upgrading requires downtime for content pack functionality. During upgrade, you won't receive notable events and episodes for your services and KPIs.

  • To upgrade from version 1.x to version 2.1.0, you must follow the existing upgrade steps exactly because upgrade from 1.x to 2.1.x involves accommodating several non-passive breaking changes.
  • To upgrade from version 2.0.3 to version 2.2.0 is relatively easy.

Prerequisites

Create a full backup of your ITSI environment in case you need to revert the upgraded version later. For more information, see Create a full backup in the Administer Splunk IT Service Intelligence Manual.

Review the high-level upgrade steps listed here before you begin an upgrade. Steps are explained in subsections below.

  1. Make note of all enabled or customized content pack objects.
  2. Clone any customized ITSI objects to prevent them from being accidentally overwritten.
  3. Backup custom changes of Splunk knowledge objects.
  4. Disable the Add-on for the Content Pack for Monitoring and Alerting (Package name: SA-ITSI-CP-MA).
  5. Upgrade to the current version of the content pack.
  6. Manually review and reapply prior customizations to the upgraded content pack objects.
  7. Add the files in the upgraded content pack.
  8. Manually re-enable the appropriate content pack objects.
  9. Remove the Add-on for the Content Pack for Monitoring and Alerting (Package name: SA-ITSI-CP-MA).

While the upgrade process for any content pack is largely the same, post-upgrade procedures vary between different content packs.

Make note of all enabled or customized content pack objects

Because the replace existing upgrade option on the content pack installation page both overwrites and disables any objects from the content pack, you need to identify all enabled and customized components before you upgrade. In the following upgrade steps, you will refer back to this list of objects for further action. See Release notes for the Content Pack for ITSI Monitoring and Alerting to review the ITSI objects in the content pack.

(Optional) Clone customized objects from the existing content pack

Clone customized objects from the existing content pack to save the customized object under a new name, which ensures that your changes aren't lost during the upgrade. Keep the cloned objects disabled. They exist only to allow you to perform a manual review of the updated content pack objects with your customizations to determine what changes to reapply after the upgrade.

Create a backup of custom changes to Splunk knowledge objects

Splunk Cloud Platform customers have to create a ticket to request a backup of customized knowledge objects. To file a ticket on the Splunk Support Portal, see Support and Services.

Create a backup of the local directory and metadata/local.meta in the Add-on for the Content Pack for Monitoring and Alerting (SA-ITSI-CP-MA). You will use this later to reapply your customizations.

Disable the Add-on for the Content Pack for Monitoring and Alerting

If you are a Splunk Cloud Platform customer and have the Add-on for the Content Pack for Monitoring and Alerting in a search head cluster environment, create a ticket to have the supporting add-on disabled. To file a ticket on the Splunk Support Portal, see Support and Services.

In the Content Pack for Monitoring and Alerting v2.0.3 all knowledge objects from the supporting add-on have been added to content pack. So, the dependency of the Add-on for the Content Pack for Monitoring and Alerting has been removed. To disable the Add-on for the Content Pack for Monitoring and Alerting follow these steps:

  1. Select the Manage Apps gear icon.
  2. Locate the Add-on for the Content Pack for Monitoring and Alerting in the list of apps.
  3. Select Disable in the Status column.

Upgrade the content pack

Download and extract the latest version of Splunk App for Content Packs into the $SPLUNK_HOME/etc/apps directory to get the latest version of content pack. See Install the content pack.

Reapply prior customizations to the upgraded content pack objects

Based on the prior customizations to the content pack objects that you identified before you began the upgrade process, you might need to reapply those customizations to the upgraded objects. Review customizations in the cloned objects, as well as the release notes to reapply necessary customizations. When you are satisfied that prior customizations are appropriately integrated into the latest version of the content pack objects, you can remove any cloned objects.

Add the backup files to the upgraded content pack

Splunk Cloud Platform customers need create a support ticket to request to have backup files added to the upgraded content pack. To file a ticket on the Splunk Support Portal, see Support and Services.

Copy the files that you have backed up and move them to the content pack directory. Files in local directory of the SA-ITSI-CP-MA package need to be copied to $SPLUNK_HOME/etc/apps/DA-ITSI-CP-monitoring-alerting/local directory. Similarly, the local.meta file from the SA-ITSI-CP-MA/metadata directory needs to be copied to the $SPLUNK_HOME/etc/apps/DA-ITSI-CP-monitoring-alerting/metadata directory.

Enable previously active content pack objects

After the upgrade, all previously-enabled content pack objects are disabled. You have to enable the correct objects again to restore content pack functionality. Based on the content pack objects that were enabled before the upgrade, as well as any new functionality you want to begin using with the upgraded content pack version, evaluate and enable the appropriate objects.

Remove the Add-on for the Content Pack for Monitoring and Alerting

Splunk Cloud Platform customers need create a support ticket to request to request to have the Add-on for the Content Pack for Monitoring and Alerting removed. To file a ticket on the Splunk Support Portal, see Support and Services.

After performing the above steps, verify that all your customizations are working as expected. Once you are satisfied with the new version of content pack, remove the Add-on for the Content Pack for Monitoring and Alerting from your Splunk environment. See Uninstall an app or add-on in the Splunk Enterprise Admin Manual.

Perform post-upgrade steps

To begin consuming the new functionality in this version of the content pack, you must complete a set of post-upgrade installation steps. Each required step is covered in greater detail in other sections of the documentation, but the high-level post-upgrade steps are as follows:

  1. Review the new visualizations that have been added to the optional Splunkbase apps and determine which visualizations you want to install.
  2. Create new entities for each ITSI aggregation policy by running the IT Service Intelligence - CPMA ITSI Aggregation Policies - Entity Discovery Search search.
  3. Enable the ITSI Event Analytics, ITSI Alert Analytics, and ITSI Episode Analytics services.
  4. Enable the desired Service Monitoring Correlation searches.
  5. Enable the ITSI Alert and Episode Monitoring Aggregation policy.
Last modified on 29 November, 2022
PREVIOUS
Install and configure the Content Pack for ITSI Monitoring and Alerting
  NEXT
Enable or disable service monitoring for certain services and KPIs

This documentation applies to the following versions of Content Pack for ITSI Monitoring and Alerting: 2.1.0, 2.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters