Splunk® IT Essentials Work

Install Splunk IT Essentials Work

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install ITE Work in a search head cluster environment

Splunk IT Essentials Work (ITE Work) has specific requirements and processes for implementing search head clustering.

See the following pages for more information about search head clustering:

Where to install ITE Work and other dependencies

The following table describes the required locations for installing ITE Work and other dependencies in your search head cluster environment.

Component Search heads Indexers Heavy forwarder Description
Splunk IT Essentials Work Required Required

You have to install ITE Work on each search head cluster node.

(Optional) Splunk Add-on for Amazon Web Services Required You have to install the add-on if you are collecting data from AWS. Version 5.0.0 is supported.
(Optional) HTTP Event Collector Required You have to install the HTTP Event collector if you are collecting metrics from a *nix host. Collectd, which collects metrics data from *nix hosts, sends data to a HEC.
(Optional) TCP input Required If you are collecting *nix and Windows logs and Windows metrics, configure a TCP input. You need to configure a port to receive data from a universal forwarder.

Prerequisites for installing ITE Work in a search head cluster environment

ITE Work supports installation on Linux-based search head clusters only. ITE Work doesn't support installation on Windows search head clusters.

Before installing ITE Work in a search head cluster environment, verify that you have the following:

  • One deployer
  • The same version of Splunk Enterprise on the deployer and search head cluster nodes
  • The same app versions, not including ITE Work, on the deployer and search head cluster nodes
  • The backup of etc/shcluster/apps on the deployer before installing ITE Work
  • The backup of etc/apps from one of the search head cluster nodes
  • The backup of the KV store from one of search head cluster nodes

Steps

Follow these steps to set up ITE Work in a search head cluster environment.

If you install ITE Work in an existing search head cluster environment that has other apps deployed already, you have to follow all of the steps in this section. Don't delete or remove any existing content in the $SPLUNK_HOME/etc/shcluster/apps folder.

1. Install ITE Work in a search head cluster environment

To install ITE Work on a search head cluster, perform the following steps:

  1. Log in to splunk.com with your credentials.
  2. Download the latest version of ITE Work from Splunkbase.
    1. You have to read and accept the license terms and conditions to download the app.
    2. Depending on your system, you might be prompted to keep the executable file.
  3. Stop your Splunk platform. See Start and stop Splunk Enterprise for steps to do so in your specific environment.
    For example, on *nix:
    cd $SPLUNK_HOME/bin
    ./splunk stop
    
  4. On the deployer, extract the ITE Work installation package into $SPLUNK_HOME/etc/shcluster/apps. For example:
    tar -xvf splunk-it-essentials-work_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps
    

    On Windows, rename the file extension from .spl to .tgz first and use a third-party utility to perform the extraction.

  5. From the deployer, run the following command to deploy ITE Work to the cluster members:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    

    Note the following:

    • The -target parameter specifies the URI and management port for any member of the cluster, for example, https://10.0.1.14:8089. You specify only one cluster member but the deployer pushes to all members. This parameter is required.
    • The -auth parameter specifies credentials for the deployer instance.

    For more information on deploying a configuration bundle, see Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

  6. Restart your Splunk platform. See Start and stop Splunk Enterprise for steps to do so in your specific environment.
    For example, on *nix:
    cd $SPLUNK_HOME/bin
    ./splunk start
    

2. Configure indexers and license masters

The ITE Work installation package places all ITE Work directories in $SPLUNK_HOME/etc/apps. Perform the following steps to set up indexers and license masters:

  1. Copy SA-IndexCreation found in the $SPLUNK_HOME/etc/apps/ directory to the same directory on all individual indexers in your environment.
  2. Install SA-ITSI-Licensechecker and SA-UserAccess on all license masters in your cluster. If a search head in your environment is also a license master, the license master components are installed when you install ITE Work on the search heads.

3. Configure search heads and cluster members to forward data to indexers

In a search head cluster environment, configure search heads to forward data. For more information, see Best practice: Forward search head data to the indexer layer in the Splunk Enterprise Distributed Search manual.

4. (Optional) Migrate an existing search head to a search head cluster

You can't add a standalone ITE Work search head or search head pool member to a search head cluster. To migrate ITE Work configurations to a search head cluster, perform the following steps:

  1. Identify any custom configurations and modifications in the prior ITE Work installation. Check to make sure there is no local copy of settings.conf that might conflict with the default file when you deploy ITE Work to the cluster.
  2. Configure and start a search head cluster. For more information, see Deploy a search head cluster in the Splunk Enterprise Distributed Search manual.
  3. Deploy the latest version of ITE Work on the search head cluster.
  4. Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
  5. Shut down the old ITE Work search head.

For more information, see the topic Migrate settings from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search manual.

For assistance in planning a Splunk ITE Work deployment migration, contact Splunk Services.

5. Configure data collection

You can collect data from Linux, Mac OS X, and Windows hosts, Kubernetes and OpenShift clusters, Docker containers, and VMware vCenter Servers. If you installed and configured the Splunk Add-on for Amazon Web Services on a heavy forwarder, you can also collect data from your AWS accounts. For more information, see Overview of entity integrations in ITSI.

Verify installation

There are two ways to verify ITE Work is successfully installed:

  1. Check that the ITE Work directories are in $SPLUNK_HOME/etc/shcluster/apps. See About the ITE Work installation package for the list of directories.
  2. Go to Apps > Manage Apps in Splunk Web and search for "IT Essentials Work".

Alongside ITSI or Splunk Enterprise Security

ITE Work can't be installed on the same search head as Splunk IT Service Intelligence (ITSI) or Splunk Enterprise Security.

Last modified on 02 December, 2022
PREVIOUS
Install ITE Work in a distributed environment
  NEXT
Before you upgrade Splunk IT Essentials Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.13.0, 4.13.1, 4.13.2, 4.13.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters