Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Uninstall Splunk IT Service Intelligence

This page describes how to safely remove an existing Splunk IT Service Intelligence (ITSI) deployment. Once you complete these steps you can perform a clean reinstallation of ITSI. See Install Splunk IT Service Intelligence in this manual.

High level steps:

  1. Clean the KV store.
  2. Delete all ITSI entries in collections.conf.
  3. Remove all Splunk apps installed with ITSI.
  4. Remove all ITSI-specific indexes.

These steps will permanently delete all data associated with your ITSI deployment. Do not perform these steps unless you are certain that you want to permanently delete your ITSI deployment. If you are uncertain how to proceed, contact Splunk support for guidance.

Step 1: Clean the KV store

Clean the KV store on a standalone search head or license master

On all search heads (and license master, if applicable) clean the KV store. There are two ways to clean the KV store:

Use Splunk CLI: 

$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA

OR

Run a curl request to delete each individual SA-ITOA collection. For example: 

$curl –k –u admin:changeme –X DELETE https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services

A complete listing of all SA-ITOA collections is available in $SPLUNK_HOME/etc/apps/SA-ITOA/default/metadata/default.meta.

Clean the KV store in a search head cluster

To clean the KV store in a search head cluster environment, you can run one of the above options to clean the KV store on a single cluster member. The cluster replicates this action and cleans the KV store on each cluster member. See Configuration methods that trigger replication in the Distributed Search manual.

Step 2: Delete all ITSI entries in collections.conf

On all search heads, delete all ITSI entries in collections.conf.

  1. Edit $SPLUNK_HOME/etc/system/local/collections.conf.
  2. Delete all entries whose stanza name starts with itsi_*.

Step 3: Remove all Splunk apps installed with ITSI

Remove all Splunk apps and add-ons installed with the current or previous versions of ITSI.

Do not remove SA-ThreatIntelligence, SA-Ticketing, SA-Utils or Splunk_SA_CIM if they are in use by another app (such as Splunk Enterprise Security or Splunk App for VMware). If these add-ons are in use, you can safely leave them on your server. If you remove them, any dependent apps will not function as expected.

Remove apps from standalone or non-clustered distributed environments

  1. Stop Splunk.
  2. On all search heads and indexers where ITSI and/or dependent apps and add-ons are installed, delete all items installed by the ITSI installation package. For example: 
    cd $SPLUNK_HOME/etc/apps
rm -rf itsi DA-ITSI-APPSERVER DA-ITSI-DATABASE DA-ITSI-EUEM DA-ITSI-LB DA-ITSI-OS DA-ITSI-STORAGE DA-ITSI-VIRTUALIZATION DA-ITSI-WEBSERVER itsi SA-IndexCreation SA-ITOA SA-ITSI-ATAD SA-ITSI-CustomModuleViz SA-ITSI-Licensechecker SA-ITSI-MetricAD SA-UserAccess


    Note: In most cases, SA-IndexCreation is the only ITSI-related item that you must remove from indexers.

  3. Start Splunk.

For a complete listing of apps and add-ons installed by the ITSI installation package, see About the ITSI install package in this manual.

Note that you should also remove any ITSI modules that have been installed independently from ITSI, such as the Splunk ITSI Module for Application Performance Monitoring for example.

Remove apps from clusters

To delete an app from a search head cluster, you must remove it from the configuration bundle on the deployer. When you next push the bundle, each cluster member deletes the app from its own file system. For more information, see Where to place the configuration bundle on the deployer in the Distributed Search manual.

To delete an app from an indexer cluster, you must remove the app from the deployment location on the cluster master. For more information, see Update common peer configurations and apps in Managing Indexers and Clusters of Indexers.

Step 4: Remove all ITSI-specific indexes

Remove all ITSI-specific indexes that SA-IndexCreation places in $SPLUNK_HOME/var/lib/splunk, including: 

anomaly_detection
itsi_grouped_alerts
itsi_notable_archive
itsi_notable_audit
itsi_summary
itsi_tracked_alerts
snmptrapd

For example: 

cd $SPLUNK_HOME/var/lib/splunk
rm -rf itsi_* anomaly_detection

Do not remove any indexes that are currently in use by Splunk Enterprise Security or other Splunk apps, including notable and risk indexes.

ITSI does not currently provide an automatic way to clean up the contents for a distributed deployment. To clean a distributed deployment you must perform these cleaning steps on individual search heads and indexers.

Last modified on 12 December, 2018
PREVIOUS
Upgrade Splunk IT Service Intelligence 		  NEXT
Configure users and roles in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters