Splunk® IT Essentials Work

Install Splunk IT Essentials Work

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Upgrade Splunk IT Essentials Work on a search head cluster

At this time, you can't install Splunk IT Essentials Work from the Splunk Web interface.

Follow these steps to upgrade Splunk IT Essentials Work (ITE Work) on cluster members. ITE Work supports upgrades from up to three minor versions before the version you're upgrading to. If you are upgrading from a version lower than three minor versions from the version you want to upgrade to, you have to perform step upgrades.

Before upgrading

  • Perform all prerequisite steps specified before upgrading ITE Work. See Before you upgrade IT Essentials Work.
  • Ensure stable and optimal connectivity between the deployer and search head cluster members, such as minimal network latency, no dropped packets, and so on. Problems with network connectivity during an shcluster bundle push of a new version of ITE Work might leave ITE Work in an inconsistent state and require further steps to resolve.
  • ITE Work supports upgrades from up to three versions prior.

Confirm the cluster is in a healthy state

Confirm that the cluster is in a healthy state before you begin the upgrade:

splunk show shcluster-status

Check the following criteria:

  1. Locate the current search head captain and use it as the target to run the following command:
    splunk apply shcluster-bundle
  2. Make sure the search head cluster is fully functional and that there are no pending replication updates.

For information on health check criteria, see Health check output details.

Deploy the new version to the cluster members

Use the deployer to distribute the new version of ITE Work to search head cluster members, the same way you initially deployed ITE Work on the search head cluster. A migration script runs on the captain after upgrading. The upgrade then propagates to all other cluster members.

  1. Log in to splunk.com with your credentials.
  2. Download the latest version of ITE Work from Splunkbase.
    1. You have to read and accept the license terms and conditions to download the app.
    2. Depending on your system, you might be prompted to keep the executable file.
  3. Stop your Splunk platform. See Start and stop Splunk Enterprise for steps to do so in your specific environment.
    For example, on *nix:
    cd $SPLUNK_HOME/bin
    ./splunk stop
  4. On the deployer, extract the ITE Work installation package into $SPLUNK_HOME/etc/shcluster/apps. For example:
    tar -xvf splunk-it-essentials-work_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps

    On Windows, rename the file extension from .spl to .tgz first and use a third-party utility to perform the extraction.

  5. From the deployer, run the following command to deploy ITE Work to the cluster members:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>

    Note the following:

    • The -target parameter specifies the URI and management port for any member of the cluster, for example, You select only one cluster member but the deployer pushes to all members. This parameter is required.
    • The -auth parameter specifies credentials for the deployer instance.

    For more information on deploying a configuration bundle, see Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

    At the end of the bundle push, a rolling restart occurs if necessary. During a rolling restart, approximately 10% of the members restart at a time, until all have restarted. If you're using options to disable rolling restarts, you need to trigger one manually. For instructions and more information, see Use the deployer to distribute apps and configuration updates.

  6. Restart your Splunk platform. See Start and stop Splunk Enterprise for steps to do so in your specific environment.
    For example, on *nix:
    cd $SPLUNK_HOME/bin
    ./splunk start
  7. The first time you go to ITE Work after installing the new files, a migration screen steps you through the upgrade process. For Skip over localized failures, select whether to skip over the following types of failures:
    • Missing dependencies in service KPIs, such as a missing macro
    • Multiple entity split or filter fields in KPI base searches
    • Missing dependencies in KPI base searches
    • Missing dependencies in correlation searches
    • Duplicate services

    Skipping over these failures means the problematic objects aren't migrated. You'll receive a list of skipped objects when the upgrade completes.

  8. Select Start Upgrade. The migration script runs to migrate existing ITE Work knowledge objects to the new version.
  9. When the upgrade completes, open the ITE Work home page.

To check migration related logs, run the following Splunk search:

index=_internal "[itsi.migration]"

Upgrade indexers

For nonclustered distributed environments, copy the SA-IndexCreation file to $SPLUNK_HOME/etc/apps on each indexer in your deployment.

If you have an indexer cluster, use the configuration bundle method to replicate SA-IndexCreation across all peer nodes. On the primary node, place a copy of SA-IndexCreation in $SPLUNK_HOME/etc/master-apps/. For information about updating peers in an indexer cluster, and for CLI instructions, see Manage app deployment across all peers in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Upgrade ITSI license components

When you upgrade ITE Work, you have to also upgrade SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search head cluster environment.

If one of the search heads in your environment is also a license master, the license master components are upgraded when you upgrade ITE Work on the search heads.

Validate the upgrade

The ITE Work upgrade process is now complete. Objects disabled during the upgrade process are automatically reenabled. ITE Work shows the following message: IT Service Intelligence upgrade has completed successfully.

  1. In Splunk Web, select Help > About to verify that the upgrade was successful.
  2. Clear the browser cache of the browser you use to access Splunk Web. If you don't clear the browser cache, some pages might fail to load.

You can also check the installed version, latest version, and previous version by running the following search:

| rest splunk_server=local /services/apps/local/itsi | stats values(version) as itsi_installed_version | join [|inputlookup itsi_migration_check]

After upgrading

If the upgrade fails, see Roll back an upgrade of Splunk IT Essentials Work.

Last modified on 22 November, 2022
Upgrade Splunk IT Essentials Work on a single instance
Roll back an upgrade of Splunk IT Essentials Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.15.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters