Splunk® App for Content Packs

Overview of the Splunk App for Content Packs

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for Content Packs. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install the Splunk App for Content Packs

To access the content packs on the Data Integrations page of ITSI or IT Essentials Work, you have to install the Splunk App for Content Packs. You can install the Splunk App for Content Packs on your Splunk Cloud Platform or on-premises environment. The Splunk App for Content Packs is compatible with ITSI and IT Essentials Work on Splunk Cloud Platform.

Install the Splunk App for Content Packs on a Splunk Cloud Platform environment

The Splunk App for Content Packs is compatible with ITSI and IT Essentials Work on Splunk Cloud Platform. Splunk Cloud Platform customers can file a case requesting the Splunk App for Content Packs. Use the Splunk Support Portal at Support and Services or contact Splunk Customer Support. You can install the Splunk App for Content Packs on single-instance and distributed deployments.

Install the Splunk App for Content Packs on a single, on-premises environment

At this time, you can't install the Splunk App for Content Packs from the Splunk Web interface.

Follow these steps to install the Splunk App for Content Packs on a single, on-premises Splunk Enterprise environment.

  1. Download the Splunk App for Content Packs from Splunkbase.
  2. Put the downloaded file splunk-app-for-content-packs_<latest_version>.spl into $SPLUNK_HOME/etc/apps.
  3. Stop your Splunk platform deployment. For example:
    cd $SPLUNK_HOME/bin
    ./splunk stop
    
  4. Extract the installation package into $SPLUNK_HOME/etc/apps. For example:
    tar -xvf splunk-app-for-content-packs_<latest_version>.spl -C $SPLUNK_HOME/etc/apps
    

    On Windows, rename the file extension from .spl to .tgz first and use a third-party utility to perform the extraction.

    The extracted directories have the following naming convention DA-ITSI-CP-<contentpack> and DA-ITSI-ContentLibrary.

  5. Start your Splunk platform deployment. For example:
    cd $SPLUNK_HOME/bin
    ./splunk start
    

Install the Splunk App for Content Packs on a search head cluster environment

Follow these steps to to install the Splunk App for Content Packs on a search head cluster Splunk Enterprise environment.

  1. Download the Splunk App for Content Packs from Splunkbase.
  2. On the deployer, extract the Splunk App for Content Packs installation package into the $SPLUNK_HOME/etc/shcluster/apps directory. For example:
    tar -xvf splunk-app-for-content-packs_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps
    
  3. From the deployer, run the following command to deploy IT Essentials Work to the cluster members:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    

    Note the following:

    • The -target parameter specifies the URI and management port for any member of the cluster, for example, https://10.0.1.14:8089. You specify only one cluster member but the deployer pushes to all members. This parameter is required.
    • The -auth parameter specifies credentials for the deployer instance.

    For more information on deploying a configuration bundle, see Deploy a configuration bundle in the Splunk Enterprise Distributed Search Manual.

Install the Splunk App for Content Packs on a distributed environment

You can install the Splunk App for Content Packs on any distributed Splunk Enterprise environment.

Where to install the Splunk App for Content Packs

Splunk instance type Supported Required Actions required
Search heads Yes Yes Install the Splunk App for Content Packs on all search heads. Search heads have to be running a compatible version of Splunk Enterprise. For compatible versions, see the compatibility matrix.
Indexers Yes No The Splunk App for Content Packs doesn't require indexers.
License master Yes No The Splunk App for Content Packs doesn't require a license master component.
Heavy forwarders Yes No The Splunk App for Content Packs doesn't contain a data collection component.
Universal forwarders Yes No The Splunk App for Content Packs doesn't contain a data collection component.

Install the Splunk App for Content Packs for ITSI or IT Essentials Work 4.8.x and earlier

If you are using ITSI or ITE Work 4.8.x and lower, the install method through Splunk App for Content Packs isn't available. Instead, you have to download the content pack as a backup ZIP file and restore it using the backup/restore functionality. The ZIP files, when available, are embedded within the documentation in the installation steps of each content pack. For example, you can find the ZIP file for the Content Pack for ITSI Monitoring and Alerting on the install and configure topic. See Install and configure the Content Pack for ITSI Monitoring and Alerting. Note, many content packs were developed for install through the Splunk App for Content Packs only. As a result, these content packs don't have a ZIP file available in documentation.

After installation of the Splunk App for Content Packs

Following a brand-new installation of the Splunk App for Content Packs, do the following:

  1. From within IT Service Intelligence (ITSI) or its subset IT Essentials Work, click Search on the main navigation bar.
  2. Run the following search to create lookup files required by the Content Pack for ITSI Monitoring and Alerting:
    | savedsearch CPMA-Lookups-Init
Last modified on 26 August, 2022
PREVIOUS
Overview of the Splunk App for Content Packs
  NEXT
Migrate from legacy apps to content packs

This documentation applies to the following versions of Splunk® App for Content Packs: 1.7.0, 1.8.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters