Splunk® IT Service Intelligence

Install and Upgrade Manual

Upgrade IT Service Intelligence on a single instance

This topic describes how to upgrade Splunk IT Service Intelligence (ITSI) on an on-premises search head. ITSI supports upgrades from up to three versions prior to the one you're upgrading to. To upgrade from earlier versions, perform a step upgrade. Splunk Cloud Platform customers work with Splunk Support to coordinate upgrades to IT Service Intelligence.

Before upgrading

Before you upgrade ITSI, you must perform all prerequisite steps specified in Before you upgrade IT Service Intelligence.

If upgrading to a Python 3 release of Splunk (version 8.x), you must upgrade IT Service Intelligence and all other apps before upgrading Splunk Enterprise. For more information, see Python 3 migration with ITSI.

Step 1. Install the latest version of ITSI

On a single-instance deployment, a single Splunk Enterprise instance serves as both the search head and indexer.

You must upgrade ITSI by extracting the ITSI installation package. ITSI does not support installation using the app manager in Splunk Web or using the splunk install app command at the command line.

  1. Log in to splunk.com with your Splunk.com ID.
  2. Download the latest Splunk IT Service Intelligence product.
  3. If you're upgrading from a pre-4.6.0 ITSI version to version 4.6.0 or higher, stop the Rules Engine before upgrading so it can pick up the fields added to the KV store for migration:
    1. Within Splunk Web, go to Settings > Searches, reports, and alerts.
    2. In the App dropdown, select All.
    3. Use the filter to locate the itsi_event_grouping search.
    4. Click Actions > Disable.
  4. Stop your Splunk platform instance:
    cd $SPLUNK_HOME/bin
    ./splunk stop
  5. Extract the ITSI installation package into $SPLUNK_HOME/etc/apps. For example:
    tar -xvf splunk-it-service-intelligence_<latest_version>.spl -C $SPLUNK_HOME/etc/apps

    On Windows, rename the file extension from .spl to .tgz first and use a third-party utility like 7-Zip to perform the extraction.

  6. Start your Splunk software.
    cd $SPLUNK_HOME/bin
    ./splunk start
  7. On the migration screen, for Skip over localized failures, choose whether to skip over the following types of failures:
    • Missing dependencies in service KPIs, such as a missing macro
    • Multiple entity split or filter fields in KPI base searches
    • Missing dependencies in KPI base searches
    • Missing dependencies in correlation searches
    • Duplicate services

    Skipping over these failures means the problematic objects aren't migrated. You'll receive a list of skipped objects when the upgrade completes.

  8. Click Start Upgrade. The migration script runs to migrate existing ITSI knowledge objects to the new version. The migration script runs to migrate existing ITSI knowledge objects to the new version, and a table displays the status of jobs that run during the upgrade. To learn more about what happens in each stage of the precheck, see Stages of a precheck.
  9. If a precheck fails during the upgrade, you can either select Proceed anyway or Restart upgrade. For information about troubleshooting the upgrade at this stage, see Prechecks fail during the upgrade.
  10. Re-enable the itsi_event_grouping search.

To check migration related logs, run the following Splunk search:

index=_internal "[itsi.migration]"

Stages of a precheck

When you run an ITSI upgrade, a table displays the status of prechecks that run during the process.

  • In the Prep stage, the table lists the status of each precheck job:
Status Description
In Progress The precheck job is running in the backend to check that your ITSI objects can be migrated.
Enqueued The precheck job is queued, and will run after the current precheck job completes.
Completed The precheck job completed running and did not identify any errors.
Failed An error with one or more of your objects was identified, and can potentially block your upgrade. Check the details of each error to troubleshoot your object configurations.
  • In the Transform stage, the table lists the migration status of each knowledge object being upgraded.

Step 2. Upgrade indexers

You must place the SA-IndexCreation add-on on all indexers. For non-clustered distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps/ on individual indexers. Indexers must be running a compatible version of Splunk Enterprise. If you upgrade your indexers, verify whether you must also upgrade your search heads. For information, see Splunk Enterprise version compatibility.

If you have an indexer cluster, use the configuration bundle method to replicate SA-IndexCreation across all peer nodes. On the master node, place a copy of SA-IndexCreation in $SPLUNK_HOME/etc/master-apps/. For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

(Optional) Step 3. Upgrade ITSI license components

If your environment uses a separate license manager, you must also upgrade the SA-ITSI-Licensechecker and SA-UserAccess components on that manager.

Step 4. Validate the upgrade

The Splunk IT Service Intelligence upgrade process is now complete. Objects disabled during the upgrade process are automatically reenabled. The ITSI shows the following message: IT Service Intelligence upgrade has completed successfully.

  1. In Splunk Web, click Help > About to verify that the upgrade was successful.
  2. Clear the browser cache of the browser you use to access Splunk Web. If you do not clear the browser cache, some pages might fail to load.

You can also check the installed version, latest version, and previous version by running the following search:

| rest splunk_server=local /services/apps/local/itsi | stats values(version) as itsi_installed_version | join [|inputlookup itsi_migration_check]

After upgrading

Perform the following steps after upgrading IT Service Intelligence.

  1. If there's a problem with the new version, see Troubleshoot an upgrade of IT Service Intelligence.
  2. If the upgrade fails, see Roll back an upgrade of ITSI.
  3. See the Version-specific upgrade notes for ITSI for the version you upgraded to.
Last modified on 04 October, 2023
Steps to address the Apache Log4j vulnerabilities in ITSI or IT Essentials Work   Upgrade IT Service Intelligence in a search head cluster environment

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.17.0, 4.17.1, 4.18.0, 4.18.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters