Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Install Splunk IT Service Intelligence

You can install Splunk IT Service Intelligence (ITSI) on Splunk Enterprise in both single-instance and distributed deployment environments. For an overview of these Splunk Enterprise environments, see Deployment architectures in this manual. Splunk Cloud customers must work with Splunk Support to coordinate access to the IT Service Intelligence search head.

Before you install, review the latest deployment requirements, including Splunk Enterprise version requirements and ITSI license requirements. See Splunk Enterprise version requirement in this manual.

Before you install Splunk IT Service Intelligence

Perform the following tasks before you install Splunk IT Service Intelligence.

1. Install required Java components

ITSI requires Java 7 or Java 8 to run anomaly detection and notable event management features. Java 8 is required for Windows installations. Java 9 and 10 are not currently supported. You can install Java prior to or after installing ITSI.

Install Java 8 on all search heads running ITSI. On RHEL and Ubuntu Linux, you can install the vendor packages: java-1.8.0-openjdk on RHEL Linux and openjdk-8-jdk on Ubuntu Linux. Alternatively, you can download and install the latest version of Oracle Java 8 (JRE or JDK).

If the JAVA_HOME environment variable is set correctly to the base of the Java installation, or the “java” executable (or “java.exe” in Windows) can be found using the PATH environment variable, no additional action is required. This is typically the case if you install the vendor Java packages in Linux or OS X.

If you install Java to a custom location (for example, when you install Oracle Java from oracle.com) and neither PATH nor JAVA_HOME is set to the Java installation, you must set JAVA_HOME in $SPLUNK_HOME/etc/splunk-launch.conf. For example:


2. (Optional) Install required Predictive Analytics apps

To use ITSI's Predictive Analytics capabilities, install the Splunk Machine Learning Toolkit (MLTK) and share the machine learning macros with all apps so ITSI can access them. These applications are only required if you plan to use Predictive Analytics to predict service health scores. For more information, see Set up Predictive Analytics in ITSI.

  1. Install the Python for Scientific Computing add-on version 1.3 or later for your operating system:
  2. Install the latest version of the Splunk MLTK. Follow the steps in Install the Splunk Machine Learning Toolkit in the MLTK User Guide.
  3. Give the MLTK app Global permissions:
    1. In ITSI, click App: IT Service Intelligence > Manage Apps.
    2. In the filter bar, enter Splunk Machine Learning Toolkit.
    3. Click Permissions.
    4. Ensure that All apps is selected.
    5. Click Save.

Install ITSI on a single instance

Install ITSI on a single Splunk Enterprise instance. In a single-instance deployment, a single Splunk Enterprise instance serves as both search head and indexer.

You must install ITSI by extracting the ITSI installation package. ITSI does not support installation using the app manager in Splunk Web or using the splunk install app command at the command line.

  1. Log in to splunk.com with your Splunk.com user name and password.
  2. Download the latest Splunk IT Service Intelligence product.
  3. Stop splunk. For example:
    cd $SPLUNK_HOME/bin
    ./splunk stop
  4. Extract the ITSI installation package into $SPLUNK_HOME/etc/apps. For example:
    tar -xvf splunk-it-service-intelligence_<latest_version>.spl -C $SPLUNK_HOME/etc/apps

    On Windows, rename the file extension from .spl to .tgz first and use a third-party utility like 7-Zip to perform the extraction.

  5. Start splunk. For example:
    cd $SPLUNK_HOME/bin
    ./splunk start

Install ITSI in a distributed environment

You can install ITSI in any distributed Splunk Enterprise environment. For more information on distributed Splunk Enterprise environments, see Distributed deployment in this manual.

Where to install ITSI

Splunk instance type Supported Required Actions required / Comments
Search Heads Yes Yes Install ITSI to all search heads where ITSI is used as described in Install ITSI on a single instance. Search heads must be running Splunk Enterprise 7.0.x -7.2.x.
Indexers Yes Yes SA-IndexCreation is required on all indexers. For non-clustered distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps/ on individual indexers. Indexers must be running Splunk Enterprise 7.0.x -7.2.x.
License master Yes Yes Install SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search head cluster environment. If a search head in your environment is also a license master, the license master components are installed when you install ITSI on the search heads. Note: SA-ITOA is no longer required as of ITSI version 3.1.x.
Heavy Forwarders Yes No ITSI does not contain a data collection component.
Universal Forwarders Yes No ITSI does not contain a data collection component.

Distributed deployment feature compatibility

This table describes the compatibility of ITSI with Splunk distributed deployment features.

Distributed deployment feature Supported Actions required / Comments
Search Head Clusters Yes Use the deployer to distribute ITSI to search head cluster members. Search heads must be running Splunk Enterprise 7.0.x -7.2.x.
Indexer Clusters Yes Use the configuration bundle method to replicate SA-IndexCreation across all peer nodes. On the master node, place a copy of SA-IndexCreation in $SPLUNK_HOME/etc/master-apps/.
Deployment Server Yes

For information about updating search head cluster members, see Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers manual.

Configure search heads and cluster members to forward data to indexers

In a distributed environment, configure search heads to forward data. ITSI runs KPI searches on search heads and by default stores data in the local itsi_summary index. It is considered a best practice to forward data from search heads to indexers.

See also

Last modified on 06 February, 2019
ITSI deployment planning
Upgrade Splunk IT Service Intelligence

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters