
Install Splunk IT Service Intelligence
You can install Splunk IT Service Intelligence (ITSI) on Splunk Enterprise in both single-instance and distributed deployment environments. For an overview of these Splunk Enterprise environments, see Deployment architectures in this manual. Splunk Cloud customers must work with Splunk Support to coordinate access to the IT Service Intelligence search head.
Before you install, review the latest deployment requirements, including Splunk Enterprise version requirements and ITSI license requirements. See Splunk Enterprise version requirement in this manual.
Before you install Splunk IT Service Intelligence
Perform the following tasks before you install Splunk IT Service Intelligence.
1. Install required Java components
ITSI requires Java 7 or Java 8 to run anomaly detection and notable event management features. Java 8 is required for Windows installations. Java 9 and 10 are not currently supported. You can install Java prior to or after installing ITSI.
Install Java 8 on all search heads running ITSI. On RHEL and Ubuntu Linux, you can install the vendor packages: java-1.8.0-openjdk
on RHEL Linux and openjdk-8-jdk
on Ubuntu Linux. Alternatively, you can download and install the latest version of Oracle Java 8 (JRE or JDK).
If the JAVA_HOME
environment variable is set correctly to the base of the Java installation, or the “java” executable (or “java.exe” in Windows) can be found using the PATH
environment variable, no additional action is required. This is typically the case if you install the vendor Java packages in Linux or OS X.
If you install Java to a custom location (for example, when you install Oracle Java from oracle.com) and neither PATH
nor JAVA_HOME
is set to the Java installation, you must set JAVA_HOME
in $SPLUNK_HOME/etc/splunk-launch.conf
. For example:
JAVA_HOME=/opt/jdk1.8.0_74.jdk
2. (Optional) Install required Predictive Analytics apps
To use ITSI's Predictive Analytics capabilities, install the Splunk Machine Learning Toolkit (MLTK) and share the machine learning macros with all apps so ITSI can access them. These applications are only required if you plan to use Predictive Analytics to predict service health scores. For more information, see Set up Predictive Analytics in ITSI.
- Install the Python for Scientific Computing add-on version 1.3 or later for your operating system:
- Install the latest version of the Splunk MLTK. Follow the steps in Install the Splunk Machine Learning Toolkit in the MLTK User Guide.
- Give the MLTK app Global permissions:
- In ITSI, click App: IT Service Intelligence > Manage Apps.
- In the filter bar, enter
Splunk Machine Learning Toolkit
. - Click Permissions.
- Ensure that All apps is selected.
- Click Save.
Install ITSI on a single instance
Install ITSI on a single Splunk Enterprise instance. In a single-instance deployment, a single Splunk Enterprise instance serves as both search head and indexer.
You must install ITSI by extracting the ITSI installation package. ITSI does not support installation using the app manager in Splunk Web or using the splunk install app
command at the command line.
- Log in to splunk.com with your Splunk.com user name and password.
- Download the latest Splunk IT Service Intelligence product.
- Stop
splunk
. For example:cd $SPLUNK_HOME/bin ./splunk stop
- Extract the ITSI installation package into
$SPLUNK_HOME/etc/apps
. For example:tar -xvf splunk-it-service-intelligence_<latest_version>.spl -C $SPLUNK_HOME/etc/apps
On Windows, rename the file extension from .spl to .tgz first and use a third-party utility like 7-Zip to perform the extraction.
- Start
splunk
. For example:cd $SPLUNK_HOME/bin ./splunk start
Install ITSI in a distributed environment
You can install ITSI in any distributed Splunk Enterprise environment. For more information on distributed Splunk Enterprise environments, see Distributed deployment in this manual.
Where to install ITSI
Splunk instance type | Supported | Required | Actions required / Comments |
---|---|---|---|
Search Heads | Yes | Yes | Install ITSI to all search heads where ITSI is used as described in Install ITSI on a single instance. Search heads must be running Splunk Enterprise 7.0.x -7.2.x. |
Indexers | Yes | Yes | SA-IndexCreation is required on all indexers. For non-clustered distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps/ on individual indexers. Indexers must be running Splunk Enterprise 7.0.x -7.2.x.
|
License master | Yes | Yes | Install SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search head cluster environment. If a search head in your environment is also a license master, the license master components are installed when you install ITSI on the search heads. Note: SA-ITOA is no longer required as of ITSI version 3.1.x.
|
Heavy Forwarders | Yes | No | ITSI does not contain a data collection component. |
Universal Forwarders | Yes | No | ITSI does not contain a data collection component. |
Distributed deployment feature compatibility
This table describes the compatibility of ITSI with Splunk distributed deployment features.
Distributed deployment feature | Supported | Actions required / Comments |
---|---|---|
Search Head Clusters | Yes | Use the deployer to distribute ITSI to search head cluster members. Search heads must be running Splunk Enterprise 7.0.x -7.2.x. |
Indexer Clusters | Yes | Use the configuration bundle method to replicate SA-IndexCreation across all peer nodes. On the master node, place a copy of SA-IndexCreation in $SPLUNK_HOME/etc/master-apps/ .
|
Deployment Server | Yes |
For information about updating search head cluster members, see Use the deployer to distribute apps and configuration updates in the Distributed Search manual.
For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers manual.
Configure search heads and cluster members to forward data to indexers
In a distributed environment, configure search heads to forward data. ITSI runs KPI searches on search heads and by default stores data in the local itsi_summary
index. It is considered a best practice to forward data from search heads to indexers.
See also
PREVIOUS ITSI deployment planning |
NEXT Upgrade Splunk IT Service Intelligence |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4
Feedback submitted, thanks!