Upgrade Splunk IT Service Intelligence
This topic describes how to upgrade Splunk IT Service Intelligence on an on-premises deployment from version 2.6.x or later to version 4.0.x. Splunk Cloud customers work with Splunk Support to coordinate upgrades to IT Service Intelligence.
ITSI version 4.x is incompatible with Splunk Enterprise versions 7.2.0 - 7.2.3. On versions 7.0.5, 7.1.x and 7.2.4 - 7.2.6, ITSI requires a workaround to prevent event duplication in Episode Review. For more information and to apply the workaround, see Splunk Enterprise system requirement.
Perform the following steps before upgrading to IT Service Intelligence version 4.0.x.
1. Back up your KV store data
Before you upgrade to the latest version of ITSI, it is a best practice to back up your current ITSI KV store data and store those backup files in a secure location. See Backup and restore ITSI data in this manual.
2. Check Splunk admin role inheritance
Before upgrading, make sure the Splunk admin role inherits from the itoa_admin role. Problems can occur when these settings have been modified in a local version of authorize.conf. Use the CLI
btool command and look at the line
importRoles to make sure itoa_admin, itoa_analyst, and itoa_user are listed. For example:
./splunk btool authorize list role_admin –debug
To add the itoa roles, navigate to Settings > Access Controls> Roles > admin > Inheritance and add itoa_admin, itoa_analyst and itoa_user to Selected roles if necessary.
3. Check KV store size limits
The limit of a single batch save to a KV store collection is 50MB. As a result, if you have one KPI base search that is used by multiple services, and the total size of your services exceeds 50MB, ITSI generates an error. To avoid this issue, check the total amount of data that your services contain, and, if necessary, increase the KV store size limit in
limits.conf. For instructions, see Increase KV store size limits in this manual.
4. (Optional) Install required Predictive Analytics add-ons
To use ITSI's Predictive Analytics capabilities, install the Splunk Machine Learning Toolkit (MLTK) and the Python for Scientific computing add-on. These add-ons are only required if you plan to use Predictive Analytics to predict service health scores. For more information, see Set up Predictive Analytics in ITSI.
- Install the Python for Scientific Computing add-on version 1.3 or later for your operating system:
- Install the latest version of the Splunk MLTK. Follow the steps in Install the Splunk Machine Learning Toolkit in the MLTK User Guide.
- Give the MLTK app Global permissions:
- In ITSI, click App: IT Service Intelligence > Manage Apps.
- In the filter bar, enter
Splunk Machine Learning Toolkit.
- Click Permissions.
- Ensure that All apps is selected.
- Click Save.
Upgrade to IT Service Intelligence version 4.0.x
Upgrade your on-premise ITSI deployment the same way you initially installed ITSI, by extracting the installation package for the new version and copying the necessary components to each instance in your ITSI deployment. See Splunk Enterprise Deployments in this manual.
You must upgrade ITSI by extracting the ITSI installation package. ITSI does not support installation using the app manager in Splunk Web or using the
splunk install app command at the command line.
The first time you start Splunk Enterprise after installing the new files, a migration script runs to migrate existing ITSI knowledge objects to the new version.
Upgrade search heads or a single-instance
On each search head, or on a single-instance deployment, download the
splunk-it-service-intelligence_<latest_version>.spl install package and extract it into
$SPLUNK_HOME/etc/apps. See Install ITSI on a single instance for details.
For non-clustered distributed environments, copy
$SPLUNK_HOME/etc/apps on each indexer in your deployment.
If you have an indexer cluster, use the configuration bundle method to replicate
SA-IndexCreation across all peer nodes. On the master node, place a copy of
$SPLUNK_HOME/etc/master-apps/. For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers manual.
Upgrade ITSI on a search head cluster
To upgrade ITSI on a search head cluster, use the deployer to distribute the new version of ITSI to search head cluster members (the same way ITSI was deployed on the search head cluster initially). The migration script kicks off on the captain. The upgrade then propagates to all other cluster members.
For information about updating search head cluster members, see Use the deployer to distribute apps and configuration updates in the Distributed Search manual.
Upgrade ITSI license components
When you upgrade to ITSI 4.0.x, you must also upgrade
SA-UserAccess on any license master in a distributed or search head cluster environment. Note that
SA-ITOA is no longer required as of ITSI version 3.1.0.
If one of the search heads in your environment is also a license master, the license master components are upgraded when you upgrade ITSI on the search heads.
Post migration tasks
After the ITSI migration completes, do the following:
- In Splunk Web, go to Help > About to verify that upgrade to ITSI version 4.0.x was successful.
- If your browser was open before and/or during the upgrade process, make sure to clear your browser cache or re-open the browser.
- If you have a dedicated license master, remove
SA-ITOAfrom the license master since ITSI no longer requires it as of version 3.1.x.
- Remove unnecessary XML files from the ITSI OS Module. The files have been removed or renamed as of ITSI 4.0.0. Remove the following files from
Install Splunk IT Service Intelligence
Uninstall Splunk IT Service Intelligence
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3