Splunk® IT Service Intelligence

Install and Upgrade Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install IT Service Intelligence in a search head cluster environment

Splunk IT Service Intelligence (ITSI) has specific requirements and processes for implementing search head clustering.

See the following pages for more information about search head clustering:

What the search head cluster environment looks like

This diagram illustrates a search head cluster environment with ITSI, the Splunk App for Infrastructure (no longer packaged with ITSI as of version 4.9.0), and the optional Splunk Add-on for Infrastructure and Splunk Add-on for Amazon Web Services. Data is ingested from a Windows system, a Mac system, and a Linux system, and a heavy forwarder for AWS data collection. Each system sends S2S traffic from a universal forwarder directly to an indexer cluster and HTTP traffic from collectd to a third-party load balancer. The load balancer forwards traffic to HECs in the indexer cluster.

Note: As of ITSI 4.9.0, the Splunk App for Infrastructure is no longer packaged with ITSI.

This image describes a network with a heavy forwarder (for AWS data collection), a Windows system, a Mac system, and a Linux system sending HTTP data to a load balancer and S2S data to an indexer cluster. The indexer cluster sends data to the search head cluster.

Where to install ITSI and other dependencies

The following table describes the required locations for installing ITSI and other dependencies in your search head cluster environment.

Component Search heads Indexers Heavy forwarder Description
Splunk IT Service Intelligence Required Required*

You must install ITSI on each search head cluster node.

Splunk Add-on for Amazon Web Services Required You must install the add-on if you are collecting data from AWS. Version 5.0.0 is supported.
HTTP Event Collector Required You must install the HTTP Event collector if you are collecting metrics from a *nix host. Collectd, which collects metrics data from *nix hosts, sends data to a HEC.
TCP input Required If you are collecting *nix and Windows logs and Windows metrics, configure a TCP input. You need to configure a port to receive data from a universal forwarder.

Alongside IT Essentials Work

ITSI can't be installed on the same search head as IT Essentials Work.

Prerequisites for installing ITSI in a search head cluster environment

ITSI supports installation on Linux-based search head clusters only. ITSI does not support installation on Windows search head clusters.

Before installing ITSI in a search head cluster environment, verify that you have the following:

  • One deployer
  • The same version of Splunk Enterprise on the deployer and search head cluster nodes
  • The same app versions, not including ITSI, on the deployer and search head cluster nodes
  • The backup of etc/shcluster/apps on the deployer before installing ITSI
  • The backup of etc/apps from one of the search head cluster nodes
  • The backup of the KV store from one of search head cluster nodes

Steps

Follow these steps to set up ITSI in a search head cluster environment.

If you are installing ITSI in an existing search head cluster environment that might have other apps deployed already, you must follow all of the steps in this section. Be careful to not delete or remove any existing content in the $SPLUNK_HOME/etc/shcluster/apps folder.

1. Install ITSI in a search head cluster environment

At this time, you can't install ITSI from the Splunk Web interface.

To install ITSI on a search head cluster, perform the following steps:

  1. Log in to splunk.com with your credentials.
  2. Download the latest version of IT Service Intelligence from Splunkbase. See the Splunk IT Service Intelligence product page.
  3. On the deployer, extract the ITSI installation package into $SPLUNK_HOME/etc/shcluster/apps. For example:
    tar -xvf splunk-it-service-intelligence_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps
    
  4. From the deployer, run the following command to deploy ITSI to the cluster members:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    

    Note the following:

    • The -target parameter specifies the URI and management port for any member of the cluster, for example, https://10.0.1.14:8089. You specify only one cluster member but the deployer pushes to all members. This parameter is required.
    • The -auth parameter specifies credentials for the deployer instance.

    For more information on deploying a configuration bundle, see Deploy a configuration bundle in the Splunk Enterprise Distributed Search Manual.

2. Install required Java components

Using 32-bit JRE/JDK on ITSI versions 4.3.x or later might cause the Rules Engine to fail with unclear errors in the search.log. If this occurs, perform the workaround described in ITSI-4663.

IT Service Intelligence requires Java 8.x - 11.x to run anomaly detection and notable event management features. You can install Java prior to or after installing ITSI but before you start running ITSI.

Install Java on all search heads running ITSI. On RHEL and Ubuntu Linux, you can install the vendor packages java-1.8.0-openjdk on RHEL Linux and openjdk-8-jdk on Ubuntu Linux. Alternatively, you can download and install the latest version of Oracle Java 8-11 (JRE or JDK).

If the JAVA_HOME environment variable is set correctly to the base of the Java installation, or the java executable (or java.exe in Windows) can be found using the PATH environment variable, no additional action is required. This is typically the case if you install the vendor Java packages in Linux or OS X.

If you install Java to a custom location, for example, when you install Oracle Java directly from Oracle's website, and neither PATH nor JAVA_HOME is set to the Java installation, you must add the bin bath of the JDK in $HOME/.bashrc. Perform the following steps:

  1. Change to your home directory.
    cd $HOME
    
  2. Open the .bashrc file.
  3. Add the following line to the file. Replace the JDK directory with the name of your java installation directory.
    export PATH=/usr/java/<JDK Directory>/bin:$PATH
    
  4. Save the file and exit.
  5. Use the source command to force Linux to reload the .bashrc file which normally is read only when you log in each time.
    source .bashrc
    

If you want to set the PATH for all users, you need to log in as root in the bash shell and perform the above steps on the .profile file in the etc directory and not the .bashrc file in the home directory.

3. Configure indexers and license masters

The ITSI installation package places all ITSI directories in $SPLUNK_HOME/etc/apps. Perform the following steps to set up indexers and license masters:

  1. Copy SA-IndexCreation to $SPLUNK_HOME/etc/apps/ on all individual indexers in your environment.
  2. Install SA-ITSI-Licensechecker and SA-UserAccess on all license masters in your cluster. If a search head in your environment is also a license master, the license master components are installed when you install ITSI on the search heads.

4. Configure search heads and cluster members to forward data to indexers

In a search head cluster environment, configure search heads to forward data. ITSI runs KPI searches on search heads and, by default, stores data in the local itsi_summary index. For more information, see Best practice: Forward search head data to the indexer layer in the Splunk Enterprise Distributed Search manual.

5. (Optional) Migrate an existing search head to a search head cluster

You cannot add a standalone ITSI search head or search head pool member to a search head cluster. To migrate ITSI configurations to a search head cluster, perform the following steps:

  1. Identify any custom configurations and modifications in the prior ITSI installation. Check to make sure there is no local copy of itsi_settings.conf that might conflict with the default file when you deploy ITSI to the cluster.
  2. Configure and start a search head cluster. For more information, see Deploy a search head cluster in the Splunk Enterprise Distributed Search manual.
  3. Deploy the latest version of ITSI on the search head cluster.
  4. Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
  5. Shut down the old ITSI search head.

For more information, see the topic Migrate settings from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search manual.

For assistance in planning a Splunk ITSI deployment migration, contact Splunk Services.

6. (Optional) Install Splunk App for Content Packs

The Splunk App for Content Packs provides out-of-the-box content that you can use to quickly set up your Splunk IT Service Intelligence (ITSI) environment. This content can include preconfigured KPI base searches, service templates, saved glass tables, and other objects for use within ITSI or ITE Work.

To enable access to the content in the Splunk App for Content Packs, follow the installation steps in Install the Splunk App for Content Packs.

7. (Optional) Configure data collection to automatically discover entities

Follow the installation, configuration and data requirements guidance for each content pack that addresses your specific use cases. To see a list of all available content packs, see Available content packs.

Once data is properly onboarded, entities will automatically get discovered using the ITSI entity discovery searches. For more information about entity discovery searches, see ITSI entity discovery searches.

Last modified on 26 July, 2022
PREVIOUS
Where to install IT Service Intelligence in a distributed environment
  NEXT
Configure indexes in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.15.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters