Install ITE Work in a search head cluster environment
Splunk IT Essentials Work (ITE Work) has specific requirements and processes for implementing search head clustering.
See the following pages for more information about search head clustering:
- For an overview of search head clustering, see Search head clustering architecture in the Splunk Enterprise Distributed Search manual.
- For a complete list of search head clustering requirements, see System requirements and other deployment considerations for search head clusters in the Splunk Enterprise Distributed Search manual.
Where to install ITE Work and other dependencies
The following table describes the required locations for installing ITE Work and other dependencies in your search head cluster environment.
Component | Search heads | Indexers | Heavy forwarder | Description |
---|---|---|---|---|
Splunk IT Essentials Work | Required | Required |
You have to install ITE Work on each search head cluster node. | |
(Optional) Splunk Add-on for Amazon Web Services | Required | You have to install the add-on if you are collecting data from AWS. Version 5.0.0 is supported. | ||
(Optional) HTTP Event Collector | Required | You have to install the HTTP Event collector if you are collecting metrics from a *nix host. Collectd, which collects metrics data from *nix hosts, sends data to a HEC. | ||
(Optional) TCP input | Required | If you are collecting *nix and Windows logs and Windows metrics, configure a TCP input. You need to configure a port to receive data from a universal forwarder. |
Prerequisites for installing ITE Work in a search head cluster environment
ITE Work supports installation on Linux-based search head clusters only. ITE Work doesn't support installation on Windows search head clusters.
Before installing ITE Work in a search head cluster environment, verify that you have the following:
- One deployer
- The same version of Splunk Enterprise on the deployer and search head cluster nodes
- The same app versions, not including ITE Work, on the deployer and search head cluster nodes
- The backup of etc/shcluster/apps on the deployer before installing ITE Work
- The backup of etc/apps from one of the search head cluster nodes
- The backup of the KV store from one of search head cluster nodes
Steps
Follow these steps to set up ITE Work in a search head cluster environment.
If you install ITE Work in an existing search head cluster environment that has other apps deployed already, you have to follow all of the steps in this section. Don't delete or remove any existing content in the $SPLUNK_HOME/etc/shcluster/apps folder.
1. Install ITE Work in a search head cluster environment
To install ITE Work on a search head cluster, perform the following steps:
- Log in to splunk.com with your credentials.
- Download the latest version of ITE Work from Splunkbase.
- You have to read and accept the license terms and conditions to download the app.
- Depending on your system, you might be prompted to keep the executable file.
- Stop your Splunk platform. See Start and stop Splunk Enterprise for steps to do so in your specific environment.
For example, on *nix:cd $SPLUNK_HOME/bin ./splunk stop
- On the deployer, extract the ITE Work installation package into $SPLUNK_HOME/etc/shcluster/apps. For example:
tar -xvf splunk-it-essentials-work_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps
On Windows, rename the file extension from .spl to .tgz first and use a third-party utility to perform the extraction.
- From the deployer, run the following command to deploy ITE Work to the cluster members:
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
Note the following:
- The
-target
parameter specifies the URI and management port for any member of the cluster, for example,https://10.0.1.14:8089
. You specify only one cluster member but the deployer pushes to all members. This parameter is required. - The
-auth
parameter specifies credentials for the deployer instance.
For more information on deploying a configuration bundle, see Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.
- The
- Restart your Splunk platform. See Start and stop Splunk Enterprise for steps to do so in your specific environment.
For example, on *nix:cd $SPLUNK_HOME/bin ./splunk start
2. Configure indexers and license masters
The ITE Work installation package places all ITE Work directories in $SPLUNK_HOME/etc/apps. Perform the following steps to set up indexers and license masters:
- Copy SA-IndexCreation found in the $SPLUNK_HOME/etc/apps/ directory to the same directory on all individual indexers in your environment.
- Install SA-ITSI-Licensechecker and SA-UserAccess on all license masters in your cluster. If a search head in your environment is also a license master, the license master components are installed when you install ITE Work on the search heads.
3. Configure search heads and cluster members to forward data to indexers
In a search head cluster environment, configure search heads to forward data. For more information, see Best practice: Forward search head data to the indexer layer in the Splunk Enterprise Distributed Search manual.
4. (Optional) Migrate an existing search head to a search head cluster
You can't add a standalone ITE Work search head or search head pool member to a search head cluster. To migrate ITE Work configurations to a search head cluster, perform the following steps:
- Identify any custom configurations and modifications in the prior ITE Work installation. Check to make sure there is no local copy of settings.conf that might conflict with the default file when you deploy ITE Work to the cluster.
- Configure and start a search head cluster. For more information, see Deploy a search head cluster in the Splunk Enterprise Distributed Search manual.
- Deploy the latest version of ITE Work on the search head cluster.
- Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
- Shut down the old ITE Work search head.
For more information, see the topic Migrate settings from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search manual.
For assistance in planning a Splunk ITE Work deployment migration, contact Splunk Services.
5. Configure data collection
You can collect data from Linux, Mac OS X, and Windows hosts, Kubernetes and OpenShift clusters, Docker containers, and VMware vCenter Servers. If you installed and configured the Splunk Add-on for Amazon Web Services on a heavy forwarder, you can also collect data from your AWS accounts. For more information, see Overview of entity integrations in ITSI.
Verify installation
There are two ways to verify ITE Work is successfully installed:
- Check that the ITE Work directories are in $SPLUNK_HOME/etc/shcluster/apps. See About the ITE Work installation package for the list of directories.
- Go to Apps > Manage Apps in Splunk Web and search for "IT Essentials Work".
Alongside ITSI or Splunk Enterprise Security
ITE Work can't be installed on the same search head as Splunk IT Service Intelligence (ITSI) or Splunk Enterprise Security.
Install ITE Work in a distributed environment | About the ITE Work installation package |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1
Feedback submitted, thanks!