Splunk® IT Service Intelligence

Install and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Version-specific upgrade notes for ITSI

Consider the following guidelines when upgrading to specific versions of IT Service Intelligence.

After upgrading to version 4.9.0

As of version 4.9.0, the Splunk App for Infrastructure will no longer be packaged with ITSI. You will no longer be able to integrate or import entities from SAI to ITSI. Additionally, all servicesNS/nobody/SA-ITOA/itoa_entity_exchange/ REST endpoints will be disabled and return error codes.

Instead, you will be able to run discovery entity saved searches directly from ITSI. Your existing SAI entities will still be discovered as native entities in ITSI.

To enable entity discovery for these existing SAI entities, you must update your data sources and enable saved searches. For more information, see Use the ITSI entity discovery search.

After upgrading to version 4.6.1

A new metrics-based summary index was introduced in ITSI version 4.6.0. To provide a more continuous experience, a backfill process queue modular input was added to migrate data from the itsi_summary index to the new metrics-based index.

In version 4.6.1, the modular input for backfill functionality is disabled by default as opposed to running automatically. If you upgraded to version 4.6.1 or higher and you need to use the Service Analyzer to inspect service or KPI data from before the upgrade, enable the backfill modular input. If you choose not to enable it, note that sparklines on the Service Analyzer might appear flat for about 1-15 minutes after upgrade due to lack of data.

To enable the modular input, perform the following steps:

  1. Within ITSI, go to Settings > Data Inputs.
  2. Open the modular input called IT Service Intelligence Metrics Backfill Process Queue.
  3. Click Enable.

Optionally, you can modify the default configurations to backfill more or less data. If you do modify the defaults, first determine if your environment can backfill data at a higher rate than set by the default throttle and concurrent search settings.

For more information about the metrics index, see ITSI metrics summary index reference in the Administration Manual.

After upgrading to version 4.4.x

Consider the following when upgrading to version 4.4.x:

Copy SA-ITOA to the license master

Version 4.4.x has an additional requirement of copying SA-ITOA to the license master and manually disabling all inputs in inputs.conf. For instructions, see ITSI-4813 in the IT Service Intelligence Release Notes.


As of version 4.4.x, you can make changes to a local copy of the itsi_rules_engine.properties file at $SPLUNK_HOME/etc/apps/SA-ITOA/local/ and these changes will take precedence over the default file. Previously, this file was not treated like a regular Splunk .conf file, so changes to a local copy of the file had no impact. For more information, see Configuration file precedence in the Splunk Enterprise Admin Manual.

If you've made changes to the default file in the past, make a copy of these changes before upgrading to 4.4.x. After you upgrade, create a blank itsi_rules_engine.properties file at $SPLUNK_HOME/etc/apps/SA-ITOA/local/ and add these changed settings to the local file. This step ensures that your changes to the file will persist through future upgrades.

Make all future changes to itsi_rules_engine.properties in the local file rather than the default file. For the contents of the file, see Rules Engine properties reference in ITSI in the Event Analytics Manual.

After upgrading to version 4.2.x

The Entity Alias Filtering field used in KPI searches was removed in version 4.2.0. With the removal of entity alias filtering, ITSI now strictly matches entities against KPI search results using both the alias key and value, whereas before it only used the alias value.

This strict association change can cause some entities to not be included in KPI results. If this is the case, a message appears in Splunk Web with a link to documentation on how to fix potentially broken entities. For information, see Removed features in Splunk IT Service Intelligence.

After upgrading to version 4.0.4

To initiate the fix for ITSI-1868 concerning entity rules, you need to trigger the service-entity rule change handler. To trigger the handler, run the kvstore_to_json mode 4 option, which will regenerate your KPI search schedules.

After upgrading to version 4.0.x

  1. Remove unnecessary XML files from the ITSI OS Module that were removed or renamed as of ITSI 4.0.0. Remove the following files from $SPLUNK_HOME/etc/apps/DA-ITSI-OS/default/data/ui/panels:
      • cpu_memory_usage.xml
      • memory_free_percent.xml
      • memory_disk_ops.xml
      • forecast_network.xml
      • storage_volumes_most_used.xml
      • storage_devices_iostats_chart.xml
  2. Version 4.0.x ships with an internal license stack called IT Service Intelligence Internals *DO NOT COPY* stack to ensure that you don't pay for notable events generated by ITSI. The sourcetypes used to track notable events and episodes are counted on this special stack with no impact on your Splunk Enterprise license. When calculating your daily license usage, disregard this stack.

After upgrading to version 3.1.x

  1. If you have a dedicated license master, remove SA-ITOA from the license master since ITSI no longer requires the add-on as of version 3.1.x.
  2. When the objects in ITSI are exported during a backup or migration, if the number of KPIs linked to a service is high, the instance can hit a KV store memory size limit causing some objects to be dropped from the backup and lost after the upgrade.

    Workaround: Increase the KV store bulk get limit in $SPLUNK_HOME/etc/apps/SA-ITOA/local/limits.conf and retry the backup or upgrade. Increase the max_size_per_result_mb value as necessary.
    # The maximum size, in megabytes (MB), of the result that will be returned for a single query to a collection.
    # ITSI requires approximately 50MB per 1,000 KPIs. Override this value if necessary.
    # Default: 500 MB
    max_size_per_result_mb = 500

This action increases the memory used by the KV store during operations.

Last modified on 15 October, 2021
Roll back an upgrade of ITSI
Troubleshoot an upgrade of IT Service Intelligence

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.10.0 Cloud only, 4.10.1 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters