Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.1.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade Splunk IT Service Intelligence

This topic describes how to upgrade Splunk IT Service Intelligence on an on-premises deployment from version 2.6.x or later to version 4.1.x. Splunk Cloud customers work with Splunk Support to coordinate upgrades to IT Service Intelligence.

ITSI version 4.x is incompatible with Splunk Enterprise versions 7.2.0 - 7.2.3. On versions 7.0.5, 7.1.x and 7.2.4 - 7.2.6, ITSI requires a workaround to prevent event duplication in Episode Review. For more information and to apply the workaround, see Splunk Enterprise system requirement.

Before you upgrade IT Service Intelligence

  1. Back up your ITSI KV store data and store those backup files in a secure location. See Backup and restore ITSI data in this manual.
  2. (Optional) If you plan to use ITSI's Predictive Analytics capabilities, install the Python for Scientific Computing add-on and the latest version of the Splunk Machine Learning Toolkit. For more information, see Set up Predictive Analytics in ITSI.
  3. Make sure the Splunk admin role inherits from the itoa_admin role. The default settings for admin role inheritance for ITSI are contained in authorize.conf. Problems can occur when these settings have been modified in a local version of the file.
    1. Use the CLI btool command and look at the line importRoles to make sure itoa_admin, itoa_analyst, and itoa_user are listed. For example: ./splunk btool authorize list role_admin –debug.
    2. To add the itoa roles, click Settings > Access Controls > Roles > admin. Under Inheritance, add itoa_admin, itoa_analyst and itoa_user to the selected roles if necessary.
  4. Check KV store size limits. The limit of a single batch save to a KV store collection is 50 MB. Check the total amount of data that your services contain, and, if necessary, increase the KV store size limit in limits.conf.

Upgrade Splunk IT Service Intelligence

Upgrade your on-premise ITSI deployment the same way you initially installed ITSI, by extracting the installation package for the new version and copying the necessary components to each instance in your ITSI deployment. See Splunk Enterprise Deployments in this manual.

You must upgrade ITSI by extracting the ITSI installation package. ITSI does not support installation using the app manager in Splunk Web or using the splunk install app command at the command line.

The first time you start Splunk Enterprise after installing the new files, a migration script runs to migrate existing ITSI knowledge objects to the new version.

Upgrade search heads or a single-instance

On each search head, or on a single-instance deployment, download the splunk-it-service-intelligence_<latest_version>.spl install package and extract it into $SPLUNK_HOME/etc/apps. See Install ITSI on a single instance for details.

Upgrade indexers

For non-clustered distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps on each indexer in your deployment.

If you have an indexer cluster, use the configuration bundle method to replicate SA-IndexCreation across all peer nodes. On the master node, place a copy of SA-IndexCreation in $SPLUNK_HOME/etc/master-apps/. For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers manual.

Upgrade ITSI on a search head cluster

To upgrade ITSI on a search head cluster, use the deployer to distribute the new version of ITSI to search head cluster members (the same way ITSI was deployed on the search head cluster initially). The migration script kicks off on the captain. The upgrade then propagates to all other cluster members.

For information about updating search head cluster members, see Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

Upgrade ITSI license components

When you upgrade Splunk IT Service Intelligence, you must also upgrade SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search head cluster environment.

If one of the search heads in your environment is also a license master, the license master components are upgraded when you upgrade ITSI on the search heads.

Post migration tasks

After the ITSI migration completes, do the following:

  1. In Splunk Web, click Help > About to verify that upgrade to ITSI version 4.1.x was successful.
  2. Clear the browser cache of the browser you use to access Splunk Web to make sure that you access a fresh version of Splunk Web after upgrading. If you do not clear the browser cache, some pages might fail to load.
  3. To initiate the fix for ITSI-1868 concerning entity rules, you need to trigger the service-entity rule change handler. To do this, run the kvstore_to_json mode 4 option which will regenerate your KPI search schedules.
  4. If you have a dedicated license master, remove SA-ITOA from the license master since ITSI no longer requires it as of version 3.1.x.
  5. Remove unnecessary XML files from the ITSI OS Module. The files have been removed or renamed as of ITSI 4.0.0. Remove the following files from $SPLUNK_HOME/etc/apps/DA-ITSI-OS/default/data/ui/panels:
    • cpu_memory_usage.xml
    • memory_free_percent.xml
    • memory_disk_ops.xml
    • forecast_network.xml
    • storage_volumes_most_used.xml
    • storage_devices_iostats_chart.xml
Last modified on 08 July, 2019
Install Splunk IT Service Intelligence
Uninstall Splunk IT Service Intelligence

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.1.0, 4.1.1, 4.1.2, 4.1.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters