Splunk® IT Service Intelligence

Entity Integrations Manual

Install content packs

Use the ITSI guided setup to install content pack objects and activate or deactivate content pack saved searches.

Prerequisites

  • You must be assigned the itoa_admin role to install content packs and update the status of saved searches.
  • You must have access to the _internal index to track the content pack installation using logs.

About the content library

On the Data Integrations page, the Content library tab lists pre-installed content packs and user-generated content packs.

Only content packs that have ITEW/ITSI objects or saved searches are visible on this page. For example, a content pack consisting only of Splunk Enterprise objects and no saved searches will not be visible on this page.

If the content pack includes saved searches, the content pack tile lists the status of the searches. Saved search status can be one of the following states:

  • All Saved Searches activated: This text displays if all the saved searches of the content pack are activated.
  • All Saved Searches deactivated: This text displays if all the saved searches of the content pack are deactivated.
  • X/Y Saved Searches deactivated: This text displays when some of the saved searches are deactivated, where X is the number of saved searches in a deactivated state and Y is the total number of saved searches in the content pack.

Install a content pack that has ITE Work/ITSI objects and saved searches

To install a content pack that has ITE Work/ITSI objects and saved searches:

  1. From the ITSI main menu, select Configuration, then Data Integrations.
  2. Select Content library.
  3. Select the content pack you want to install.
  4. Review the content pack objects and select Proceed.
  5. Select objects to install:
    1. Select the objects you want to install as part of this content pack. The installer identifies which objects from the content pack are new and which ones already exist in your environment. If you select an existing object, it will be overwritten with the content shipped in this content pack.
    2. If there is an object with the same name but different ID on your system, it will be denoted with an error or information icon. Error icons appear for objects that do not allow duplicate names, while information icons appear for objects that allow duplicate names. The guided setup does not allow you to select objects with an error icon for installation.
  6. (Optional) Import as enabled: Select whether to install objects as enabled rather than disabled. This setting only applies to services, correlation searches, and aggregation policies. All other objects, such as KPI base searches and saved searches, are installed in their original state regardless of what you set for this option.
  7. Modify status of saved searches: This option is only displayed if the content pack contains saved searches. By default, saved searches included in a content pack are in a deactivated state. Select how to install the saved searches in your content pack:
    1. Activate all saved searches: Select this option to activate all the saved searches associated with the content pack.
    2. Deactivate all saved searches: Select this option to deactivate all the saved searches associated with the content pack.
    3. Retain current status of saved searches: Select this option to preserve the existing status of the saved searches within the content pack.
  8. (Optional) Add a prefix to your new objects: Add a custom prefix to each object from the content pack. For example, you can prefix your objects with CP- to indicate they came from a content pack. This option helps you locate and manage the objects after installation. Prefixes are not applied to entity types and correlation searches.
  9. (Optional) Backfill service KPIs: Select whether to backfill your ITSI environment with the last 7, 14, 30, or 60 days of KPI data. Consider turning on backfill if you want to configure adaptive thresholding and predictive analytics for the new services. This setting only applies to KPIs, not service health scores.
  10. When your selections are complete, select Install selected.
  11. Select Install to confirm the installation. When the installation is complete, a window appears that displays the objects that were installed and not installed in your environment.

Install a content pack that only has saved searches

To install a content pack that only has saved searches and does not have ITE Work/ITSI objects:

  1. From the ITSI main menu, select Configuration, then Data Integrations.
  2. Select Content library.
  3. Select the content pack you want to install.
  4. Review the content pack objects and select Proceed.
  5. Modify status of saved searches: By default, saved searches included in a content pack are in a deactivated state. Select how to install the saved searches in your content pack:
    1. Activate all saved searches: Select this option to activate all the saved searches associated with the content pack.
    2. Deactivate all saved searches: Select this option to deactivate all the saved searches associated with the content pack.
    3. Retain current status of saved searches: Select this option to preserve the existing status of the saved searches within the content pack.
  6. Select Install to confirm the installation. If you opted to activate or deactivate all saved searches, a window appears that displays the status of the saved searches in your environment.

Track content pack installation status

From the ITSI main menu, select Messages. When a content pack installation starts, fails, or succeeds, a message appears with a link to view the logs for the process.

Last modified on 05 February, 2025
Overview of creating custom content packs in ITSI   Create a single entity in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.20.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters