Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade Splunk IT Service Intelligence

This topic describes how to upgrade Splunk IT Service Intelligence on an on-premises deployment from version 2.6.x or later to version 4.0.x. Splunk Cloud customers work with Splunk Support to coordinate upgrades to IT Service Intelligence.

ITSI version 4.x is incompatible with Splunk Enterprise versions 7.2.0 - 7.2.3. On versions 7.0.5, 7.1.x and 7.2.4 - 7.2.6, ITSI requires a workaround to prevent event duplication in Episode Review. For more information and to apply the workaround, see Splunk Enterprise system requirement.


Perform the following steps before upgrading to IT Service Intelligence version 4.0.x.

1. Back up your KV store data

Before you upgrade to the latest version of ITSI, it is a best practice to back up your current ITSI KV store data and store those backup files in a secure location. See Backup and restore ITSI data in this manual.

2. Check Splunk admin role inheritance

Before upgrading, make sure the Splunk admin role inherits from the itoa_admin role. Problems can occur when these settings have been modified in a local version of authorize.conf. Use the CLI btool command and look at the line importRoles to make sure itoa_admin, itoa_analyst, and itoa_user are listed. For example:

./splunk btool authorize list role_admin –debug

To add the itoa roles, navigate to Settings > Access Controls> Roles > admin > Inheritance and add itoa_admin, itoa_analyst and itoa_user to Selected roles if necessary.

3. Check KV store size limits

The limit of a single batch save to a KV store collection is 50MB. As a result, if you have one KPI base search that is used by multiple services, and the total size of your services exceeds 50MB, ITSI generates an error. To avoid this issue, check the total amount of data that your services contain, and, if necessary, increase the KV store size limit in limits.conf. For instructions, see Increase KV store size limits in this manual.

4. (Optional) Install required Predictive Analytics add-ons

To use ITSI's Predictive Analytics capabilities, install the Splunk Machine Learning Toolkit (MLTK) and the Python for Scientific computing add-on. These add-ons are only required if you plan to use Predictive Analytics to predict service health scores. For more information, see Set up Predictive Analytics in ITSI.

  1. Install the Python for Scientific Computing add-on version 1.3 or later for your operating system:
  2. Install the latest version of the Splunk MLTK. Follow the steps in Install the Splunk Machine Learning Toolkit in the MLTK User Guide.
  3. Give the MLTK app Global permissions:
    1. In ITSI, click App: IT Service Intelligence > Manage Apps.
    2. In the filter bar, enter Splunk Machine Learning Toolkit.
    3. Click Permissions.
    4. Ensure that All apps is selected.
    5. Click Save.

Upgrade to IT Service Intelligence version 4.0.x

Upgrade your on-premise ITSI deployment the same way you initially installed ITSI, by extracting the installation package for the new version and copying the necessary components to each instance in your ITSI deployment. See Splunk Enterprise Deployments in this manual.

You must upgrade ITSI by extracting the ITSI installation package. ITSI does not support installation using the app manager in Splunk Web or using the splunk install app command at the command line.

The first time you start Splunk Enterprise after installing the new files, a migration script runs to migrate existing ITSI knowledge objects to the new version.

Upgrade search heads or a single-instance

On each search head, or on a single-instance deployment, download the splunk-it-service-intelligence_<latest_version>.spl install package and extract it into $SPLUNK_HOME/etc/apps. See Install ITSI on a single instance for details.

Upgrade Indexers

For non-clustered distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps on each indexer in your deployment.

If you have an indexer cluster, use the configuration bundle method to replicate SA-IndexCreation across all peer nodes. On the master node, place a copy of SA-IndexCreation in $SPLUNK_HOME/etc/master-apps/. For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers manual.

Upgrade ITSI on a search head cluster

To upgrade ITSI on a search head cluster, use the deployer to distribute the new version of ITSI to search head cluster members (the same way ITSI was deployed on the search head cluster initially). The migration script kicks off on the captain. The upgrade then propagates to all other cluster members.

For information about updating search head cluster members, see Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

Upgrade ITSI license components

When you upgrade to ITSI 4.0.x, you must also upgrade SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search head cluster environment. Note that SA-ITOA is no longer required as of ITSI version 3.1.0.

If one of the search heads in your environment is also a license master, the license master components are upgraded when you upgrade ITSI on the search heads.

Post migration tasks

After the ITSI migration completes, do the following:

  • In Splunk Web, go to Help > About to verify that upgrade to ITSI version 4.0.x was successful.
  • If your browser was open before and/or during the upgrade process, make sure to clear your browser cache or re-open the browser.
  • If you have a dedicated license master, remove SA-ITOA from the license master since ITSI no longer requires it as of version 3.1.x.
  • Remove unnecessary XML files from the ITSI OS Module. The files have been removed or renamed as of ITSI 4.0.0. Remove the following files from $SPLUNK_HOME/etc/apps/DA-ITSI-OS/default/data/ui/panels:
    • cpu_memory_usage.xml
    • memory_free_percent.xml
    • memory_disk_ops.xml
    • forecast_network.xml
    • storage_volumes_most_used.xml
    • storage_devices_iostats_chart.xml
Last modified on 08 July, 2019
Install Splunk IT Service Intelligence
Uninstall Splunk IT Service Intelligence

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters