Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade Splunk IT Service Intelligence

If you are a Splunk Cloud customer, customer support will contact you regarding upgrading ITSI on your Cloud instance.

If you have an on-premises deployment of ITSI, read the following sections to learn how to upgrade ITSI.

Supported upgrade paths

ITSI supports direct upgrade from version 2.6.x, 3.0.x, and 3.1.x to version 4.0.4.

To upgrade from an older version of ITSI, you must first upgrade to version 2.6.x, then upgrade from 2.6.x to 4.0.4.


Perform the following tasks before upgrading Splunk IT Service Intelligence.

Back up your ITSI configuration data

Before you upgrade to the latest version of ITSI, it is a best practice to back up your current ITSI configuration data and store those backup files in a secure location. See Backup and restore ITSI data in this manual.

Check Splunk admin role inheritance

Before upgrading, make sure the Splunk admin role inherits from the itoa_admin role. The default settings for admin role inheritance for ITSI are contained in $SPLUNK_HOME/etc/apps/itsi/default/authorize.conf. Problems can occur when these settings have been modified in $SPLUNK_HOME/etc/system/local/authorize.conf which takes precedence over the ITSI .conf file settings.

Do the following:

  1. Use the CLI btool command and look at the line importRoles to make sure itoa_admin, itoa_analyst, and itoa_user are listed. For example:

    ./splunk btool authorize list role_admin –debug

  2. To add the itoa roles, do one of the following:
    • From the UI, navigate to Settings > Access Controls> Roles > admin > Inheritance. Add itoa_admin, itoa_analyst and itoa_user to Selected roles if necessary.
    • Alternatively, open $SPLUNK_HOME/etc/system/local/authorize.conf. Make sure itoa_admin, itoa_analyst and itoa_user are listed in the [role_admin] stanza for the importRoles setting as shown below.

      importRoles = itoa_admin;itoa_analyst;itoa_user;power;user

      If they are not, add them manually.

Check KV store size limits

The limit of a single batch save to a KV store collection is 50MB. As a result, if you have one KPI base search that is used by multiple services, and the total size of your services exceeds 50MB, ITSI generates an error. To avoid this issue, check the total amount of data that your services contain, and, if necessary, increase the KV store size limit in limits.conf. For instructions, see Increase KV store size limits in this manual.

Upgrade to ITSI version 4.0.4

Upgrade your on-premise ITSI deployment the same way you initially installed ITSI, by extracting the installation package for the new version and copying the necessary components to each instance in your ITSI deployment. See Splunk Enterprise Deployments in this manual.

You must upgrade ITSI by extracting the ITSI installation package. ITSI does not support installation using the app manager in Splunk Web or using the splunk install app command at the command line.

The first time you start Splunk Enterprise after installing the new files, a migration script runs to migrate existing ITSI knowledge objects to the new version.

Upgrade search heads or a single-instance

On each search head, or on a single-instance deployment, download the splunk-it-service-intelligence_<latest_version>.spl install package and extract it into $SPLUNK_HOME/etc/apps. See Install ITSI on a single instance for details.

Upgrade Indexers

For non-clustered distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps on each indexer in your deployment.

If you have an indexer cluster, use the configuration bundle method to replicate SA-IndexCreation across all peer nodes. On the master node, place a copy of SA-IndexCreation in $SPLUNK_HOME/etc/master-apps/. For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers manual.

Upgrade ITSI on a search head cluster

To upgrade ITSI on a search head cluster, use the deployer to distribute the new version of ITSI to search head cluster members (the same way ITSI was deployed on the search head cluster initially). The migration script kicks off on the captain. The upgrade then propagates to all other cluster members.

For information about updating search head cluster members, see Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

Upgrade ITSI license components

When you upgrade to ITSI 4.0.4, you must also upgrade SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search head cluster environment. Note that SA-ITOA is no longer required as of ITSI version 3.1.0.

If one of the search heads in your environment is also a license master, the license master components are upgraded when you upgrade ITSI on the search heads.

Post migration tasks

After the ITSI migration completes, do the following:

    • In Splunk Web, go to Help > About to verify that upgrade to ITSI version 4.0.4 was successful.
    • Clear the browser cache of the browser you use to access Splunk Web to make sure that you access a fresh version of Splunk Web after upgrading. If you do not clear the browser cache, some pages might fail to load.
    • To initiate the fix for ITSI-1868 concerning entity rules, you need to trigger the service-entity rule change handler. To do this, run the kvstore_to_json mode 4 option which will regenerate your KPI search schedules.
    • If you have a dedicated license master, remove SA-ITOA from the license master since ITSI no longer requires it as of version 3.1.x.
    • Remove unnecessary XML files from the ITSI OS Module. The files have been removed or renamed as of ITSI 4.0.0. Remove the following files from $SPLUNK_HOME/etc/apps/DA-ITSI-OS/default/data/ui/panels:
      • cpu_memory_usage.xml
      • memory_free_percent.xml
      • memory_disk_ops.xml
      • forecast_network.xml
      • storage_volumes_most_used.xml
      • storage_devices_iostats_chart.xml
Last modified on 08 July, 2019
Install Splunk IT Service Intelligence
Uninstall Splunk IT Service Intelligence

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters