Splunk® IT Service Intelligence

Install and Upgrade Splunk IT Service Intelligence

Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

Install IT Service Intelligence in a distributed or clustered environment

You can install ITSI in any distributed Splunk Enterprise environment. For more information on distributed Splunk Enterprise environments, see Distributed deployments in this manual.

The Splunk App for Infrastructure and the Splunk Add-on for Infrastructure are included in the ITSI installation package. See Integration with the Splunk App for Infrastructure.

Where to install IT Service Intelligence

Splunk instance type Supported Required Actions required / comments
Search heads Yes Yes Install ITSI on all search heads as described in Install Splunk IT Service Intelligence. Search heads must be running Splunk Enterprise 7.1.x -7.3.x.
Indexers Yes Yes SA-IndexCreation and Splunk_TA_Infrastructure is required on all indexers. For non-clustered distributed environments, copy SA-IndexCreation and Splunk_TA_Infrastructure to $SPLUNK_HOME/etc/apps/ on individual indexers. Indexers must be running Splunk Enterprise 7.1.x -7.3.x.
License master Yes Yes Install SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search head cluster environment. If a search head in your environment is also a license master, the license master components are installed when you install ITSI on the search heads.
Heavy forwarders Yes No ITSI does not contain a data collection component.
Universal forwarders Yes No ITSI does not contain a data collection component.

Distributed deployment feature compatibility

This table describes the compatibility of ITSI with Splunk distributed deployment features.

Distributed deployment feature Supported Actions required / Comments
Search head clusters Yes Use the deployer to distribute ITSI to search head cluster members. Search heads must be running a compatible version of Splunk Enterprise. For detailed instructions, see detailed instructions below.
Indexer clusters Yes Use the configuration bundle method to replicate SA-IndexCreation and Splunk_TA_Infrastructure across all peer nodes. On the master node, place a copy of SA-IndexCreation and Splunk_TA_Infrastructure in $SPLUNK_HOME/etc/master-apps/.
Deployment server Yes

Install ITSI in a search head cluster environment

Splunk IT Service Intelligence (ITSI) has specific requirements and processes for implementing search head clustering.

If you are installing ITSI on an existing search head cluster environment which might have other apps deployed already, all of the steps in this section apply. Be careful to not delete or remove any existing content in the $SPLUNK_HOME/etc/shcluster/apps folder.

Prerequisites

Splunk IT Service Intelligence supports installation on Linux-based search head clusters only. At this time, Windows search head clusters are not supported by ITSI.

Before installing ITSI in a search head cluster environment, verify that you have:

  • One deployer
  • The same version of Splunk on the deployer and search head cluster nodes
  • The same app (not including ITSI) versions on the deployer and search head cluster nodes
  • The backup of etc/shcluster/apps on the deployer before installing ITSI
  • The backup of etc/apps from one of search head cluster nodes
  • The backup of the KV store from one of search head cluster nodes

Steps

To install ITSI on a search head cluster:

  1. Log in to splunk.com with your Splunk.com ID and download the latest Splunk IT Service Intelligence product.
  2. On the deployer, extract the ITSI installation package into $SPLUNK_HOME/etc/shcluster/apps. For example:
    tar -xvf splunk-it-service-intelligence_<latest_version>.spl -C $SPLUNK_HOME/etc/shcluster/apps
    
  3. Remove the Splunk_TA_Infrastructure directory from the ITSI installation package, as it is installed on the indexers. See Configure indexers and license masters.
  4. Use the deployer to deploy ITSI to the cluster members. From the deployer, run this command:
    splunk apply shcluster-bundle

Install required Java components

IT Service Intelligence requires Java 8 - 11 to run anomaly detection and notable event management features. You can install Java prior to or after installing ITSI.

Install Java on all search heads running ITSI. On RHEL and Ubuntu Linux, you can install the vendor packages: java-1.8.0-openjdk on RHEL Linux and openjdk-8-jdk on Ubuntu Linux. Alternatively, you can download and install the latest version of Oracle Java 8 - 11 (JRE or JDK).

If the JAVA_HOME environment variable is set correctly to the base of the Java installation, or the "java" executable (or "java.exe" in Windows) can be found using the PATH environment variable, no additional action is required. This is typically the case if you install the vendor Java packages in Linux or OS X.

If you install Java to a custom location (for example, when you install Oracle Java from oracle.com) and neither PATH nor JAVA_HOME is set to the Java installation, you must set JAVA_HOME in $SPLUNK_HOME/etc/splunk-launch.conf. For example:

JAVA_HOME=/opt/jdk1.8.0_74.jdk

Configure indexers and license masters

The ITSI installation package places all ITSI directories in $SPLUNK_HOME/etc/apps. Perform the following steps to set up indexers and license masters.

  1. Copy SA-IndexCreation and Splunk_TA_Infrastructure to $SPLUNK_HOME/etc/apps/ on all individual indexers in your environment.
  2. Install SA-ITSI-Licensechecker and SA-UserAccess on all license masters in your cluster. If a search head in your environment is also a license master, the license master components are installed when you install ITSI on the search heads.

Configure search heads and cluster members to forward data to indexers

In a search head cluster environment environment, configure search heads to forward data. ITSI runs KPI searches on search heads and by default stores data in the local itsi_summary index. It is considered a best practice to forward data from search heads to indexers.

See also

Migrate an existing search head to a search head cluster

An ITSI standalone search head or search head pool member cannot be added to a search head cluster. To migrate ITSI configurations to a search head cluster:

  1. Identify any custom configurations and modifications in the prior ITSI installation. Check to make sure there is no local copy of itsi_settings.conf that could conflict with the default one when you deploy ITSI to the cluster.
  2. Implement a new search head cluster.
  3. Deploy the latest version of IT Service Intelligence on the search head cluster.
  4. Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
  5. Shut down the old ITSI search head.

For more information, see the topic Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.

For assistance in planning a Splunk ITSI deployment migration, contact Splunk Professional Services.

PREVIOUS
Install Splunk IT Service Intelligence on a single instance
  NEXT
Configure indexes in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters