Splunk® IT Service Intelligence

Entity Integrations Manual

Overview of creating custom content packs in ITSI

Create, download, and manage content packs for your organization based on your organization's specific use cases. Content packs also enable you to quickly package custom solutions you've built using ITSI or Splunk knowledge objects, and share them across multiple deployments.

Prerequisites

Requirement Description
Roles You must have the admin or itoa_admin role to create content packs. Enable the install_apps and edit_local_apps capabilities to install content packs. For more information, see Configure users and roles in ITSI in the Administration Manual.

Steps

Step 1: Create a new content pack

Follow the steps below to create a new content pack for your organization:

  1. Select Configuration > Data Integrations.
  2. Select the Authored Content tab to view the content packs created for your organization.
  3. Select the Create Content Pack button to create a new content pack. To edit an existing content pack, select the edit icon on the content pack.
  4. Provide a title and description for the content pack. Optionally, add prerequisites as a description of what is needed to use the content pack.
  5. Note: The content pack title has a 100 character limit, and the description has a 400 character limit.

  6. Configure the following fields for the content pack:
    Field Description
    Prerequisites List any prerequisite add-ons to install or additional steps to note before installing the content pack. There is a 2000 character limit for this field.
    Content Pack Version The content pack version number. The version must be formatted as Major.Minor.Revision. For example: 3.4.2
    Icon Upload a PNG icon that represents the content pack and displays as a tile on the Authored Content tab. The icon file size must be 20 KB or lower.
    Main screenshot Upload a screenshot to display the content pack's contents on the Authored Content page. This is the first image that appears when you preview the content pack. The screenshot file size must be 500 KB or lower.
    Screenshots Upload additional screenshots of the content pack. The screenshot file size must be 500 KB or lower.

Step 2: Add knowledge objects to content pack

Select knowledge objects from ITSI or objects shared across Splunk Enterprise or Splunk Cloud Platform to add to your content pack. To select knowledge objects from ITSI, select the ITSI Content tab. You can add the following objects:

  • Services
  • Entity types
  • Saved episode reviews
  • Service templates
  • Service analyzers
  • Glass tables
  • Deep dives
  • Correlation searches
  • Notable event aggregation policies

Selecting one of the following knowledge objects also includes its dependent knowledge objects (such as services, service templates, base searches, threshold templates, and the team associated with these knowledge objects):

  • Services
  • Service templates
  • Service analyzers
  • Glass tables
  • Deep dives
  • Notable event aggregation policies

Note: The knowledge objects that are included in ITSI by default (for example, default KPI base searches or threshold templates) will not be included in content packs that you create.

To select knowledge objects from Splunk Enterprise, select the Splunk Enterprise Content tab. You can add the following objects:

  • Macros
  • Saved searches
  • Props
  • Transforms
  • Lookups
  • Dashboards

To select knowledge objects from Splunk Enterprise, select the Splunk Cloud Content tab. You can add the following objects:

  • Dashboards
  • Macros
  • Saved searches
  • Props
  • Transforms
  • Lookups

Step 3: Build and download content pack

After selecting all the objects you want to include in the content pack, you can save the content pack and select Build Content Pack to generate your new content pack. After the content pack is built, you can see the content pack in the Built Content Packs section, and download a tar.gz file of your content pack by selecting the content pack tile.

When a knowledge object that's included as part of a content pack is deleted from your system, you can update your content pack by editing and saving the content pack again.

Note: If your server restarts or is interrupted while a content pack is building, the content pack build will fail after the build_timeout setting defined in inputs.conf.

Dashboards

For dashboards, custom visualizations are referenced using the image's Base-64 encoding in the dashboard's JSON source code. Custom visualizations stored locally on your system will have the image's static path URL automatically updated for the content pack. In search head cluster environments, ensure the search head on which the content pack is built has the locally stored file.

Additionally, saved searches used as data sources for the content pack's dashboard(s) are automatically added. Private saved searches won't be included. When the content pack is built, the saved search's app name in the dashboard will be replaced with the content pack's ID.

Note: Dashboard definitions cannot exceed 7 MB. If the dashboard definition exceeds this limit, reduce the size or number of custom visualizations used in your dashboards.

Import custom content packs

Follow the steps below to install an authored content pack to your specific deployment:

  1. Select the Import Content Pack button on the Content Library tab.
    1. For instructions to install your content pack on Splunk Enterprise, see Install an add-on in a single-instance Splunk Enterprise deployment.
    2. For instructions to install your content pack on Splunk Cloud Platform, see Install apps on your Splunk Cloud Platform deployment.
  2. After upload, your content pack should appear in the Imported Content Packs section on the Content Library tab of the Data Integrations page.

Find out more about other available content packs and how to use content pack knowledge objects by browsing the documentation for Available content packs.

Last modified on 28 April, 2023
Send data to Splunk Cloud Platform with ITSI data collection agents   Create a single entity in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters