Splunk® IT Essentials Work

Administration Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Configure multiple ITE Work deployments to use the same indexing layer

You can deploy separate non-clustered search heads for different purposes that forward data to the same indexers. For example, you can use one search head for production and a second search head for testing. You can also deploy separate search head clusters that use the same indexer cluster. In each case, the search heads must be running the same version of and Splunk Enterprise.

Before configuring multiple ITE Work environments to search against the same indexing tier, you must first follow these steps to ensure that different ITE Work environments don't end up inadvertently writing to the same indexes and polluting the results of your production environment.

High-level steps:

  1. Create new indexes for each ITE Work index with the name of the environment appended to the original index name.
  2. Update index in backfill searches for custom indexes.
  3. Configure the ITE Work search heads to write to the newly created indexes.
  4. Restart your Splunk software.
  5. Validate that your new environment is configured to write to the new indexes.

Create new indexes

On each Splunk indexer, create a new index for each of the itsi_* and anomaly_detection indexes listed in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf. Append the name of the environment to the original index name.

For example:

  • itsi_summary > itsi_summary_dev
  • itsi_summary_metrics > itsi_summary_metrics_dev
  • itsi_tracked_alerts > itsi_tracked_alerts_dev
  • itsi_notable_audit > itsi_notable_audit_dev
  • itsi_notable_archive > itsi_notable_archive_dev
  • itsi_grouped_alerts > itsi_grouped_alerts_dev
  • anomaly_detection > anomaly_detection_dev
  • itsi_im_metrics > itsi_im_metrics_dev
  • itsi_import_objects > itsi_import_objects_dev

For more information about creating indexes, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Update index in backfill searches for custom indexes

If you are using a custom index, you must change the index name in periodic backfill searches. See Update index in backfill searches for custom indexes in the Event Analytics manual for steps to do so.

Configure search heads to write to the new indexes

Perform one of the following steps depending on your deployment:

Non-clustered

On each search head, create local versions of the following files:

  • $SPLUNK_HOME/etc/apps/itsi/local/alert_actions.conf
  • $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf
  • $SPLUNK_HOME/etc/apps/SA-ITOA/local/macros.conf
  • $SPLUNK_HOME/etc/apps/SA-ITOA/local/alert_actions.conf
  • $SPLUNK_HOME/etc/apps/SA-ITOA/local/itsi_rules_engine.properties

In each file, change the default ITSI index names to the new index names you want to use for the data from that search head. For more information, see How to edit a configuration file in the Splunk Enterprise Admin Manual.

Search head cluster

Make the changes described in the non-clustered steps above on the deployer at etc/shcluster/apps and push the changes to the cluster members. For more information, see Deploy a search head cluster in the Splunk Enterprise Distributed Search manual.

Restart your Splunk software

Restart your Splunk software or perform a rolling restart to put the changes into effect. For more information, see Restart the search head cluster in the Distributed Search manual.

Validate setup

On each search head, perform the following steps to confirm that searches are pointing to the correct indexes:

  1. In Splunk Web, navigate to Settings > Data inputs > HTTP Event Collector. Look for the renamed index names for the five ITSI event management tokens with the following source types: itsi_notable:event, itsi_notable:archive, itsi_notable:audit, itsi_notable:group.
  2. Check the Event Analytics Audit dashboard to make sure the searches run as expected. For more information, see Event Analytics Audit dashboard in the Event Analytics manual.
  3. Replace macro searches with the name of the renamed index. For example, the following searches should return the same events:

    `itsi_event_management_index_with_close_events` | stats count AS events

    index="<new name for itsi_tracked_alerts>" | stats count AS events

  4. Make sure the data is displaying as expected in service analyzers, deep dives, glass tables, and Episode Review.
  5. Verify that ITE Work users can access the new indexes.
Last modified on 19 December, 2023
ITE Work metrics summary index reference   Use the Health Check dashboard

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters