Splunk® IT Essentials Work

Entity Integrations Manual

Migrate from Splunk App for Infrastructure (SAI) to IT Service Intelligence

Since ITSI 4.9.0, SAI is no longer packaged with ITSI. This document provides steps to migrate your SAI data integrations to ITSI so you can continue monitoring your Windows, Linux, and other entities that were monitored in SAI.

Linux/Unix (Add-On)

Method #1: Manual

The Splunk Add-on for Unix and Linux method is manual in both SAI and ITSI. The setup involves configuring specific inputs in inputs.conf and specifying an index to send data to.

  1. To migrate to ITSI, change index = em_metrics to index = itsi_im_metrics.

Linux/Unix (Collectd)

Method 1: HEC token replacement (recommended)

If you created an HEC token specifically for SAI and have access to .conf files on the machine, complete the following steps:

  1. Identify the HEC token used for sending data to the em_metrics, em_meta, and main indexes.
  2. Change this HEC token to send data to the itsi_im_metrics, itsi_im_meta, and main indexes, with itsi_im_metrics set as the default.
  3. Identify the inputs.conf stanza that corresponds to the HEC token and move it into SA-ITOA/local/inputs.conf. These steps will need to be performed for each per HEC token in use. In most cases, this will only need to be performed once.

Note: Modifying the HEC token will affect every data integration and other setups using that HEC token. Within SAI and ITSI, modifying the HEC token may also affect the OSX data integration.

Method 2: Re-install from SAI or ITSI

If you don't have any custom configurations to collectd or the universal forwarder that sends data from SAI entities, use this method:

  1. Create a HEC token within the ITSI app context that sends data to the itsi_im_metrics, itsi_im_meta, and main indexes, with itsi_im_metrics set as the default.
  2. Re-run the Data Integration snippet from either the SAI UI or the ITSI UI using this HEC token. Both snippets in the apps work the same way. You do not have to remove the existing SAI configuration beforehand. The existing collectd.conf will be overwritten.
  3. A backup of the old collectd.conf will be created in the same directory, called collectd.conf.old.$DATE. If using the universal forwarder, the existing Splunk universal forwarder local folder will be overwritten. A backup of the old local folder will be created, called local.$DATE.bak. These steps will need to be performed for each instance sending data to SAI.

Method 3: Manual

If you've made custom configurations to collectd or the universal forwarder, you can modify the configuration files manually to avoid undoing your custom configurations.

  1. For collectd, modify the write_splunk stanza in collectd.conf file.
  2. For the universal forwarder, modify inputs.conf in SplunkUniversalForwarder/local. Restart collectd and the universal forwarder to see your changes applied. These steps will need to be performed for each customized instance sending data to SAI.

OSX

Method 1: HEC token replacement (recommended)

If you created an HEC token specifically for SAI and have access to .conf files on the machine, complete the following steps:

  1. Identify the HEC token used for sending data to the em_metrics, em_meta, and main indexes.
  2. Change this HEC token to send data to the itsi_im_metrics, itsi_im_meta, and main indexes, with itsi_im_metrics set as the default.
  3. Identify the inputs.conf stanza that corresponds to the HEC token and move it into SA-ITOA/local/inputs.conf. These steps will need to be performed for each per HEC token in use. In most cases, this will only need to be performed once.

Note: Modifying the HEC token will affect every data integration and other setups using that HEC token. Within SAI and ITSI, modifying the HEC token may also affect the OSX data integration.

Method 2: Re-install from SAI

If you don't have any custom configurations to collectd or the universal forwarder that sends data from SAI entities, use this method:

  1. Create a HEC token within the ITSI app context that sends data to the itsi_im_metrics, itsi_im_meta, and main indexes, with itsi_im_metrics set as the default.
  2. Re-run the Data Integration snippet from either the SAI UI or the ITSI UI using this HEC token. Both snippets in the apps work the same way. You do not have to remove the existing SAI configuration beforehand. The existing collectd.conf will be overwritten.
  3. A backup of the old collectd.conf will be created in the same directory, called collectd.conf.old.$DATE. If using the universal forwarder, the existing Splunk universal forwarder local folder will be overwritten. A backup of the old local folder will be created, called local.$DATE.bak. These steps will need to be performed for each instance sending data to SAI.

Method 3: Re-install without SAI

If you do not have access to the SAI app, you can generate the same installation and manually configure an OSX integration. Obtain a HEC token that sends data to the itsi_im_metrics, itsi_im_meta, and main indexes. Then, run the snippet generated from the documentation page and HEC token. These steps will need to be performed for each instance sending data to SAI.

Method 4: Manual

If you've made custom configurations to collectd or the universal forwarder, you can modify the configuration files manually to avoid undoing your custom configurations.

  1. For collectd, modify the write_splunk stanza in collectd.conf file.
  2. For the universal forwarder, modify inputs.conf in SplunkUniversalForwarder/local. Restart collectd and the universal forwarder to see your changes applied. These steps will need to be performed for each customized instance sending data to SAI.

The ITSI-native versions of these OSX entities will be discovered as entities with the *Nix entity type.

Windows

Overview Method 2 is the manual method for upgrading.

Method 1: Re-install from ITSI

If you don't have any custom configurations to the universal forwarder that sends data from SAI entities and you have access to SAI, complete the following steps:

  1. Before running these steps, take a backup of the Splunk universal forwarder local/ folder on each instance. Re-run the Data Integration snippet from the ITSI UI. You do not have to remove the existing SAI-onboarded configuration. The existing Splunk universal forwarder local/ folder under the SplunkUniversalForwarder/ app will be overwritten. These steps will need to be performed for each instance sending data to SAI.

Method 2: Manual

If you no longer have access to the SAI app or if you've made custom configurations to collectd or the universal forwarder, follow these steps:

  1. For the universal forwarder, modify inputs.conf in SplunkUniversalForwarder/local by replacing all instances of em_metrics with itsi_im_metrics.
  2. Restart the universal forwarder to apply your changes.

AWS

Method: Add-on UI

Onboarding AWS data in SAI and ITSI relies upon the Splunk Add-on for Amazon Web Services. In SAI, this was configured via an interactive page within SAI. There is no equivalent UI in the ITSI app at this time. In ITSI, this will need to be configured via the add-on's pages:

  1. From the Splunk_TA_aws/inputs file, edit all inputs that send data to the em_metrics index and modify them to send to the itsi_im_metricsindex instead. These steps will need to be performed for each AWS account sending data to SAI. In most cases, this will only need to be performed once.

The ITSI-native versions of these AWS entities will have no entity type associated. Create the entity type by modifying the ITSI Import Objects - AWS* stanzas from itsi/default/savedsearches.conf in a file called itsi/local/savedsearches.conf.

Note: Currently, the Content Pack for Amazon Web Services Dashboards and Reports uses a different mechanism for discovering AWS entities in ITSI. The AWS entity types and dashboards contained in it do not have any relationship to the ones built into ITSI.

Kubernetes

While the Kubernetes integration uses HEC tokens like the Linux/Unix and OSX integrations do, changing the HEC token will not be sufficient as Splunk Connect for Kubernetes routes data by index-name.

If you have access to SAI, Method 1 is recommended. Method 2 is a more manual version of Method 1 for users who no longer have access to SAI.

Method 1 : Re-install from SAI

If you have access to SAI, complete the following steps:

  1. Remove the Helm release that contains the existing Kubernetes integration. If the namespace is no longer in use, delete the namespace from Kubernetes.
  2. Obtain a HEC token that sends data to the itsi_im_metrics, itsi_im_meta, and main indexes.
  3. Re-run the Data Integration snippet from the SAI UI using this HEC token. There is no equivalent UI in the ITSI app at this time. These steps will need to be performed for each Kubernetes cluster sending data to SAI.

Method 2: Re-install without SAI

If you do not have access to the SAI app, you can generate the same installation snippet and manually configure a Kubernetes (SKC) integration). These steps will need to be performed for each Kubernetes cluster sending data to SAI.

OpenShift

Method 1 : Re-install from SAI

If you have access to SAI, complete the following steps:

  1. Remove the Helm release that contains the existing OpenShift integration. If the namespace is no longer in use, delete the namespace from OpenShift.
  2. Obtain a HEC token that sends data to the itsi_im_metrics, itsi_im_meta, and main indexes.
  3. Re-run the Data Integration snippet from the SAI UI using this HEC token. There is no equivalent UI in the ITSI app at this time. These steps will need to be performed for each OpenShift cluster sending data to SAI.

Method 2: Re-installation without SAI

If you do not have access to the SAI app, you can generate the same installation snippet and manually configure an OpenShift integration. First, remove the Helm release that contains the existing OpenShift integration. If the namespace is no longer in use, delete the namespace from OpenShift. Obtain a HEC token that sends data to the itsi_im_metrics, itsi_im_meta, and main indexes. Then, run the snippet generated from the aforementioned documentation page. These steps will need to be performed for each OpenShift cluster sending data to SAI.

VMware

No additional steps are needed to move VMware entities from SAI to ITSI. Both apps rely upon configuration of a third app, the Splunk Add-on for VMware Metrics, which comes with its own metrics indexes.

Last modified on 15 June, 2022
Stop monitoring Splunk Infrastructure Monitoring entities in ITE Work   SAI and ITSI functionalities reference

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.2, 4.15.1, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters