Splunk® IT Service Intelligence

Modules

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence (ITSI) version 4.11.x reached its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
Acrobat logo Download topic as PDF

Install and configure ITSI modules

The following ITSI modules are installed as part of the Splunk IT Service Intelligence package:

The following ITSI modules are available for individual download:

All modules, whether included or downloaded and installed separately, do not require configuration. However, they do require relevant data to be indexed before you can create services based on the KPIs included in the modules.

See the documentation for each module that you want to use for links to the supported add-ons that are relevant for the environment you are monitoring with your ITSI deployment.

ITSI module entity discovery

ITSI module entity discovery works as follows:

  1. The ITSI admin provides data to ITSI by installing and configuring relevant Splunk add-ons.
  2. The entities send data to the indexers.
  3. The ITSI admin defines a new service, selecting an ITSI module to assist with service creation.
  4. The module automatically discovers entities for which relevant data has been collected.

The module uses a saved search to discover entities. This saved search runs every four hours by default. The module saved searches are disabled by default. You must enable them to turn on automatic entity discovery.

Enable the automatic entity discovery search

Enable the entity discovery search for each module that you want to use. Each module entity discovery search runs at a different interval so that if you choose to enable multiple entity discovery searches, no conflicts occur.

In a single search head environment:

To enable a module automatic entity discovery search:

  1. Navigate to Settings > Data inputs and select IT Service Intelligence CSV Import. You will see the module entity discovery searches listed here.
  2. Scroll to the far right end of the table and enable the search in the Status column.

In a search head cluster environment:

You must enable the entity discovery search in the inputs.conf file for the relevant module (for example, apps/da-itsi-database/local/inputs.conf) on the deployer and push the changes from the deployer to the cluster members.

Change the automatic entity discovery search

You can change the automatic entity search for a module.

  1. From the system bar in Splunk IT Service Intelligence, navigate to Configuration > Entity Management.
  2. Select Create New Entity > Import from Search.
  3. On the Entity/Service Import page, select Modules.
  4. Select the module, entity search, and search time you want.
  5. Click Next
  6. Specify your columns, then click Save & Next.
  7. Preview your service dependencies, then click Save & Next.

The configuration has been saved. You do not need to save it again as a modular input. You can trigger the module entity import search outside of the standard 4-hour interval.

Manually run an entity discovery search

You can manually run the search by doing one of the following actions:

  • Restart the Splunk platform.
  • Disable and enable the search.
  • Create entities manually.

Manually create entities

You can import entity information into ITSI.

  1. From the ITSI main menu, click Configuration > Entity Management.
  2. Select Create New Entity > Import from Search.
  3. Click Modules. Two buttons appear and the search text field populates with the required search to locate entities.
  4. Confirm that the add-on button below the Modules button says ITSI Module for <Module> and that the search button below the add-on button says <Module> Entities search.
  5. (Optional) Set the time range that the search should run within by clicking the time range picker and choosing the range.
  6. Click the magnifying glass next to the time range picker to run the search. The Splunk platform searches indexed data and returns entity results for which data has been collected.
  7. Click Next.
  8. Navigate to the Specify Columns page.
  9. Review the information on the Specify Columns page. If you do not see the entity you want, then no data for that entity has been indexed into ITSI.
  10. Confirm that you installed and configured the correct add-on into a universal forwarder on that entity. Click Save & Next.
  11. Review the proposed changes to service dependencies, then click Save & Next. The Entity/Service Import success page shows you the number of entities you imported.
  12. Click Exit. ITSI returns you to the page you were on before you went to the Entity/Service Import page.

ITSI module roles

Versions 2.3.0 and above of ITSI use itsi_role in place of role, which was used in ITSI versions 2.2.2 and below. See the table to identify the roles that each module assigns to entities.

ITSI Module ITSI Role
ITSI Application Server Module application_server
ITSI Database Module database_instance
ITSI End User Experience Monitoring Module end_user_application
ITSI Load Balancer Module loadbalancer
ITSI Operating System Module operating_system_host
ITSI Storage Module storagesystem
ITSI Virtualization Module virtualization
ITSI Web Server Module web_server
Last modified on 28 April, 2023
PREVIOUS
Overview of modules in ITSI
  NEXT
ITSI module visualizations

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters