Install the Splunk App for Content Packs
To access the content packs on the Data Integrations page of ITSI or IT Essentials Work, you have to install the Splunk App for Content Packs. You can install the Splunk App for Content Packs on your Splunk Cloud Platform or on-premises environment. The Splunk App for Content Packs is compatible with ITSI and IT Essentials Work on Splunk Cloud Platform.
Install the Splunk App for Content Packs on a Splunk Cloud Platform environment
The Splunk App for Content Packs is compatible with ITSI and IT Essentials Work on Splunk Cloud Platform. Splunk Cloud Platform customers can file a case requesting the Splunk App for Content Packs. Use the Splunk Support Portal at Support and Services or contact Splunk Customer Support. You can install the Splunk App for Content Packs on single-instance and distributed deployments.
Install the Splunk App for Content Packs on a single, on-premises environment
At this time, you can't install the Splunk App for Content Packs from the Splunk Web interface.
Follow these steps to install the Splunk App for Content Packs on a single, on-premises Splunk Enterprise environment.
- Download the Splunk App for Content Packs from Splunkbase.
- Put the downloaded file
splunk-app-for-content-packs_<latest_version>.spl
into $SPLUNK_HOME/etc/apps. - Stop your Splunk platform deployment. For example:
cd $SPLUNK_HOME/bin ./splunk stop
- Extract the installation package into $SPLUNK_HOME/etc/apps. For example:
tar -xvf splunk-app-for-content-packs_<latest_version>.spl -C $SPLUNK_HOME/etc/apps
On Windows, rename the file extension from .spl to .tgz first and use a third-party utility to perform the extraction.
The extracted directories have the following naming convention
DA-ITSI-CP-<contentpack>
andDA-ITSI-ContentLibrary
. - Start your Splunk platform deployment. For example:
cd $SPLUNK_HOME/bin ./splunk start
Install the Splunk App for Content Packs on a search head cluster environment
Follow these steps to to install the Splunk App for Content Packs on a search head cluster Splunk Enterprise environment.
- Download the Splunk App for Content Packs from Splunkbase.
- On the deployer, extract the Splunk App for Content Packs installation package into the $SPLUNK_HOME/etc/shcluster/apps directory. For example:
tar -xvf splunk-app-for-content-packs_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps
- From the deployer, run the following command to deploy IT Essentials Work to the cluster members:
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
Note the following:
- The
-target
parameter specifies the URI and management port for any member of the cluster, for example,https://10.0.1.14:8089
. You specify only one cluster member but the deployer pushes to all members. This parameter is required. - The
-auth
parameter specifies credentials for the deployer instance.
For more information on deploying a configuration bundle, see Deploy a configuration bundle in the Splunk Enterprise Distributed Search Manual.
- The
Install the Splunk App for Content Packs on a distributed environment
You can install the Splunk App for Content Packs on any distributed Splunk Enterprise environment.
Where to install the Splunk App for Content Packs
Splunk instance type | Supported | Required | Actions required |
---|---|---|---|
Search heads | Yes | Yes | Install the Splunk App for Content Packs on all search heads. Search heads have to be running a compatible version of Splunk Enterprise. For compatible versions, see the compatibility matrix. |
Indexers | Yes | No | The Splunk App for Content Packs doesn't require indexers. |
License master | Yes | No | The Splunk App for Content Packs doesn't require a license master component. |
Heavy forwarders | Yes | No | The Splunk App for Content Packs doesn't contain a data collection component. |
Universal forwarders | Yes | No | The Splunk App for Content Packs doesn't contain a data collection component. |
After installation of the Splunk App for Content Packs
Following a brand-new installation of the Splunk App for Content Packs, do the following:
First, create lookup files required by the Content Pack for ITSI Monitoring and Alerting:
- From the navigation bar within IT Service Intelligence (ITSI) or IT Essentials Work, go to Settings > Searches, Reports, and Alerts
- Choose Content Pack for Monitoring and Alerting with owner as
nobody
- Enable and run the search:
CPMA-Lookups-Init
Next, remove the benign error related to Could not load lookup=LOOKUP-dropdowns
:
- Go to Settings > Searches, Reports, and Alerts
- Choose Content Pack for Unix Dashboards and Reports with owner as
nobody
- Enable and run the search:
dropdowns_lookup_migrate
- You can disable the search if you are not using the Content Pack for Unix Dashboards and Reports.
You get an error when you run the saved search dropdowns_lookup_migrate
for the first time because '''savedsearch''' initially tries to find lookup dropdown.csv
which is not present in the environment. This error occurs only once and can be ignored, because lookup is created after running the search
Remove the benign error related to Eventtype 'wineventlog-ds' does not exist or is disabled
:
- Install Splunk Add-on for Microsoft Windows to remove this error.
Upgrade Splunk App for Content Packs to version 2.x | Migrate from legacy apps to content packs |
This documentation applies to the following versions of Splunk® App for Content Packs: 2.2.0
Feedback submitted, thanks!