Splunk® IT Essentials Work

Install Splunk IT Essentials Work

This documentation doesn't apply to the most recent version of Splunk IT Essentials Work.
This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

About the ITE Work installation package

The ITE Work installation package places the following directories in $SPLUNK_HOME/etc/apps or $SPLUNK_HOME/etc/shcluster/apps depending on your deployment.

  • DA-ITSI-APPSERVER
  • DA-ITSI-DATABASE
  • DA-ITSI-EUEM
  • DA-ITSI-LB
  • DA-ITSI-OS
  • DA-ITSI-STORAGE
  • DA-ITSI-VIRTUALIZATION
  • DA-ITSI-WEBSERVER
  • itsi
  • SA-IndexCreation
  • SA-ITOA
  • SA-ITSI-ATAD
  • SA-ITSI-CustomModuleViz
  • SA-ITSI-Licensechecker
  • SA-ITSI-MetricAD
  • SA-UserAccess

Indexes installed with ITE Work

IT Essentials Work (ITE Work) implements custom indexes for event storage. All ITE Work indexes are listed in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf.

  • In a single instance deployment, the installation of ITE Work creates the indexes in the default path for data storage.
  • In a Splunk Cloud Platform deployment, customers work with Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud indexes in the Splunk Cloud Admin Manual.
  • In a distributed deployment, create the indexes on all Splunk platform indexers or search peers.

For detailed examples of configuring indexes, see indexes.conf.example in the Splunk Enterprise Admin Manual.

ITE Work indexes

The following table describes the indexes available in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf:

Index Description
anomaly_detection
(Only used in ITSI)
An internal index used to support trending and cohesive anomaly detection in ITSI.
itsi_grouped_alerts
(Only used in ITSI)
Stores active episode data.
itsi_im_meta This events index is used for metadata from the default data integrations. For more information see, ITSI entity discovery searches in the Entity Integrations Manual.
itsi_im_metrics This metrics index is used for metrics from the default data integrations. For more information see, ITSI entity discovery searches in the Entity Integrations Manual.
itsi_import_objects This events index is used by ITSI in the entity creation process. For more information, see Overview of entity integrations in ITSI in the Entity Integrations Manual.
itsi_notable_audit
(Only used in ITSI)
Stores all audit events for episodes, including actions, comments, status change, and owner change.
itsi_notable_archive
(Only used in ITSI)
Stores episode metadata (tags and comments) that has been moved from the KV store after a default 6 month retention period, which begins when you close an episode in the UI. Moving data from the KV store removes extraneous data and helps improve performance.
itsi_summary
(Only used in ITSI)
Stores the results of scheduled KPIs searches. Summary indexing lets you run fast searches over large data sets by spreading out the cost of a computationally expensive report over time.
itsi_summary_metrics
(Only used in ITSI)
A metrics index that stores the results of scheduled KPI searches. Every KPI is summarized in both the itsi_summary events index and the metrics index. This index improves the performance of the searches dispatched by ITSI, particularly for very large environments.
itsi_tracked_alerts
(Only used in ITSI)
Stores active raw notable event data.
snmptrapd
(Only used in ITSI)
Stores events coming in from SNMP traps. For more information, see Ingest SNMP traps into ITSI.
Last modified on 28 February, 2024
Install ITE Work in a search head cluster environment  

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters