Splunk® IT Service Intelligence

Install and Upgrade Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

Uninstall Splunk IT Service Intelligence

Once you uninstall ITSI, you can perform a clean reinstallation. See Install Splunk IT Service Intelligence in this manual.

To uninstall ITSI, perform the following high-level steps:

  1. Clean the KV store.
  2. Delete all ITSI entries in collections.conf.
  3. Remove all Splunk apps installed with ITSI.
  4. Remove all ITSI-specific indexes.

ITSI does not provide an automatic way to clean up the contents for a distributed deployment. To clean a distributed deployment you must perform these steps on individual search heads and indexers.

These steps permanently delete all data associated with your ITSI deployment. Do not perform these steps unless you are certain that you want to permanently delete your ITSI deployment. If you are uncertain how to proceed, contact Splunk support for guidance.

Step 1: Clean the KV store

The steps to clean the KV store differ depending on your deployment architecture.

Clean the KV store on a standalone search head or license master

On all search heads, and the license master if applicable, clean the KV store. There are two ways to clean the KV store:

Use the Splunk CLI or run a curl request to delete each individual SA-ITOA collection.

  • Splunk CLI: $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA
  • Curl:
$curl –k –u admin:changeme –X DELETE https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services

A complete listing of all SA-ITOA collections is available in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/default.meta.

Clean the KV store in a search head cluster

To clean the KV store in a search head cluster environment, run one of the above options to clean the KV store on a single cluster member. The cluster replicates this action and cleans the KV store on each cluster member. See Configuration methods that trigger replication in the Splunk Enterprise Distributed Search manual.

Step 2: Delete all ITSI entries in the collections.conf file

On all search heads, delete all ITSI entries in the collections.conf file.

Prerequisites

  • Only users with file system access, such as system administrators, can edit collections.conf.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.

Steps

  1. Open the local collections.conf file at $SPLUNK_HOME/etc/system/local/.
  2. Delete all entries whose stanza name starts with itsi_*.

Step 3: Remove all Splunk apps installed with ITSI

Remove all Splunk apps and add-ons installed with the current or previous versions of ITSI.

Do not remove SA-ThreatIntelligence, SA-Ticketing, SA-Utils, or Splunk_SA_CIM if they are in use by another app, such as Splunk Enterprise Security or Splunk App for VMware. If you remove them, any dependent apps will not function as expected.

Remove apps from standalone or non-clustered distributed environments

  1. Stop your Splunk platform deployment.
    $SPLUNK_HOME/bin/splunk stop
  2. On all search heads and indexers where ITSI or dependent apps and add-ons are installed, delete all items installed by the ITSI installation package. For example:
    cd $SPLUNK_HOME/etc/apps
    rm ­rf DA*
    rm ­rf SA*
    rm ­rf itsi 
    
  3. Start your Splunk platform deployment.
  4. Remove any ITSI modules that have been installed independently from ITSI, such as the Splunk ITSI Module for Application Performance Monitoring.

For a complete listing of apps and add-ons installed by the ITSI installation package, see About the ITSI installation package in this manual.

Remove apps from clusters

To delete an app from a search head cluster, you must remove it from the configuration bundle on the deployer. The next time you push the bundle, each cluster member deletes the app from its own file system. For more information, see Where to place the configuration bundle on the deployer in the Splunk Enterprise Distributed Search manual.

To delete an app from an indexer cluster, you must remove it from the deployment location on the cluster master. For more information, see Update common peer configurations and apps in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Step 4: Remove all ITSI indexes

Remove the following ITSI-specific indexes that SA-IndexCreation places in $SPLUNK_HOME/var/lib/splunk.

Do not remove any indexes that are currently in use by Splunk Enterprise Security or other Splunk apps, including notable and risk indexes.

  • anomaly_detection
  • itsi_grouped_alerts
  • itsi_notable_archive
  • itsi_notable_audit
  • itsi_summary
  • itsi_tracked_alerts
  • snmptrapd

For example:

cd $SPLUNK_HOME/var/lib/splunk
rm -rf itsi_* anomaly_detection
PREVIOUS
Configure multiple ITSI deployments to use the same indexing layer
  NEXT
Planning an upgrade of IT Service Intelligence

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1


Comments

Hi JykkeDaMan, thank you so much for pointing that out! It was a typo, fixed now.

Esnyder splunk, Splunker
September 17, 2019

Are you sure about this path?
> A complete listing of all SA-ITOA collections is available in $SPLUNK_HOME/etc/apps/SA-ITOA/default/metadata/default.meta.
I think it is:
$SPLUNK_HOME/etc/apps/SA-ITOA/metadata/default.meta

JykkeDaMan
September 13, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters