Splunk® IT Service Intelligence

Install and Upgrade Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence (ITSI) version 4.11.x will reach its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Before you upgrade IT Service Intelligence

Perform the steps in this topic before you upgrade IT Service Intelligence (ITSI) to the latest release. Splunk Cloud Platform customers must work with Splunk Support to coordinate upgrades to ITSI.

ITSI supports upgrades from up to three versions prior to the one you're upgrading to. If the version of ITSI that you are upgrading to is more than three versions higher than your current version, then you must perform a step migration to a lower version first.

View cloud and on-prem upgrade paths at ITSI upgrade paths.

Remove episode lookup entries from transforms.conf

Version 4.6.0 updated the notable event system KV store collection in transforms.conf with the following fields:

  • parent_group_id
  • split_by_hash
  • first_event_id
  • group_template_id

Before upgrading to version 4.6.0 or later from a pre-4.6.0 version, remove any entries for itsi_notable_group_system_lookup in your local transforms.conf so these fields can be populated in the system KV store collection.

In addition, the instructions field was added to the itsi_notable_group_user KV store collection in version 4.5.0. Before upgrading to version 4.5.0 or later from a pre-4.5.0 version, remove any entries for itsi_notable_group_user_lookup in your local transforms.conf so this value can be populated in the user KV store collection.

Make sure no service templates are syncing

If any service templates are syncing when you upgrade ITSI, the upgrade fails. Check the sync status of service templates by clicking Configuration > Service Templates from the ITSI main menu.

Check admin role inheritance

Make sure the Splunk admin role inherits from the itoa_admin role. The default settings for admin role inheritance for ITSI are contained in authorize.conf. Problems can occur when these settings have been modified in a local version of the file.

Check KV store size limits

The limit of a single batch save to a KV store collection is 500 MB. Check the total amount of data that your services contain, and, if necessary, increase the KV store size limit in $SPLUNK_HOME/etc/apps/SA-ITOA/local/limits.conf. This setting controls the maximum size, in megabytes (MB), of the results that are returned for a single query to a collection.


  • Only users with file system access, such as system administrators, can increase the KV store size limit.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.


  1. Open or create a local limits.conf file in $SPLUNK_HOME/etc/apps/SA-ITOA/local/.
  2. Increase the max_size_per_result_mb value in the [kvstore] stanza:
    max_size_per_result_mb = [new value]

Review known issues and changes

Review the following topics before you upgrade ITSI:

  1. Compatible versions of the Splunk platform. See Splunk Enterprise system requirements.
  2. Hardware requirements. See Planning your hardware requirements.
  3. Known issues with the latest release of IT Service Intelligence. See Known issues in Splunk IT Service Intelligence in the Release Notes.
  4. Removed features in the latest release of IT Service Intelligence. See Removed features in the Release Notes.

Validate index names

Check that index names have not changed before you upgrade ITSI. See New features in Splunk IT Service Intelligence for any changed index names or review the indexes.conf file.

Recommendations for upgrading IT Service Intelligence

Upgrade both the Splunk platform and IT Service Intelligence in the same maintenance window. See the Splunk Enterprise system requirements to verify which versions of Splunk ITSI and Splunk Enterprise are supported with each other.

If you're upgrading to the Python 3 release of Splunk Enterprise (version 8.x), you must upgrade ITSI and all other apps before upgrading Splunk Enterprise. For more information, see Python 3 migration with ITSI.

  1. Upgrade Splunk Enterprise to a compatible version.
  2. Upgrade Splunk platform instances.
  3. Upgrade Splunk IT Service Intelligence.
  4. Review, upgrade, and deploy add-ons.
  5. See Version-specific upgrade notes for post-installation tasks.

Upgrading ITSI deployed on a search head cluster is a multi-step process. The procedure is detailed in Upgrade IT Service Intelligence in a search head cluster environment in this manual.

Last modified on 12 July, 2022
Uninstall Splunk IT Service Intelligence
Steps to address the Apache Log4j vulnerabilities in ITSI or IT Essentials Work

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.15.0, 4.15.1, 4.15.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters