Splunk® IT Service Intelligence

SAI Integration

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.3.x will no longer be supported as of July 17, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Requirements for integrating the Splunk App for Infrastructure with ITSI

Integration between IT Service Intelligence (ITSI) and the Splunk App for Infrastructure (SAI) requires installation on the same instance of Splunk Enterprise. The ITSI installation package includes the Splunk App for Infrastructure and Splunk Add-on for Infrastructure. You have the option to integrate entities and alerts when first launching ITSI, or you can integrate at a later time.

Installation requirements for integration

Integration between Splunk App for Infrastructure and ITSI is supported in the following environments.

For deployment planning information, see Integration with the Splunk App for Infrastructure in the Install and Upgrade Splunk IT Service Intelligence manual.

Environment Installation requirements
Single Splunk Enterprise instance In a single-instance deployment, a Splunk Enterprise instance serves as both search head and indexer. When installing the ITSI installation package, Splunk App for Infrastructure and Splunk Add-on for Infrastructure are automatically installed. See Install Splunk IT Service Intelligence in the Install and Upgrade Splunk IT Service Intelligence manual.
Distributed Splunk Enterprise environment In a distributed Splunk Enterprise environment, install the Splunk App for Infrastructure and ITSI on the same search head and install the Splunk Add-on for Infrastructure on the indexers. See Install IT Service Intelligence in a distributed environment in the Install and Upgrade Splunk IT Service Intelligence manual.
Splunk Cloud Splunk Cloud customers must work with Splunk Support to coordinate access to the IT Service Intelligence search head.

You cannot directly integrate Splunk Insights for Infrastructure with ITSI. You must upgrade your Splunk Insights for Infrastructure instance to Splunk Enterprise first. See Upgrade Splunk Insights for Infrastructure to Splunk Enterprise for information.

Supported software versions

The following software versions are required for integration between ITSI and the Splunk App for Infrastructure. The ITSI installation package includes Splunk App for Infrastructure and Splunk Add-on for Infrastructure.

Product Name Product Version
Splunk IT Service Intelligence 4.2.0 or later
Splunk App for Infrastructure 1.3.0 or later
Splunk Add-on for Infrastructure 1.3.0 or later
Splunk Enterprise 7.2.0 or later

Integrate with the Splunk App for Infrastructure

The first time ITSI detects Splunk App for Infrastructure on the same Splunk Enterprise instance, a dialog opens asking if you want to integrate with the Splunk App for Infrastructure.

  1. Open IT Service Intelligence.
  2. Integrate with the Splunk App for Infrastructure. There are two ways to integrate:
    1. The first time you create a service in ITSI, the "Integrate with Splunk App for Infrastructure" dialog opens if ITSI detects the Splunk App for Infrastructure on the same Splunk Enterprise instance. Both integration options are enabled by default, and you can select to integrate now or later.
    2. If the "Integrate with Splunk App for Infrastructure" dialog does not open, manually enable the integration. Go to Configure > Entities > Manage Integrations and enable.
  3. After you receive the message that integration is complete, click View All Entities or close the dialog and select Configure > Entities from the top menu bar.
  4. On the Entities page, filter on SAI to see the entities that were imported from the Splunk App for Infrastructure. If you don't see entities from the Splunk App for Infrastructure after a few minutes, see Entities from the Splunk App for Infrastructure are not imported into ITSI. Entities imported from Splunk App for Infrastructure that meet entity rules for a service are associated with the service.

Entities that are deleted in Splunk App for Infrastructure are not removed in ITSI.

Manually enable or disable integration

You can manually enable or disable the integration between the Splunk App for Infrastructure and ITSI:

  • If you did not select to integrate, you can manually enable entity and alert integration.
  • If you want to stop the integration, you can manually disable entity and alert integration.

Manually enable entity and alert integration

  1. Log in to the Splunk platform with a Splunk admin account.
  2. In ITSI, click Configure > Entities.
  3. Click Manage Integrations.
  4. Enable the options Integrate entities so ITSI has the latest entity information and Integrate alerts so you can manage all alerts in ITSI.
  5. Click Save.
  6. After you receive the message that integration is complete, click View All Entities or close the dialog and select Configure > Entities from the top menu bar.
  7. On the Entities page, filter on SAI to see the entities that were imported from the Splunk App for Infrastructure. Entities from the Splunk App for Infrastructure are imported into ITSI, and update about every 5 minutes. For information about alert integration, see Ingest Splunk App for Infrastructure alerts into ITSI as notable events.
    Note: If you don't see entities from the Splunk App for Infrastructure after a few minutes, see Entities from the Splunk App for Infrastructure are not imported into ITSI.

Manually disable entity and alert integration

  1. Log in to the Splunk platform with a Splunk admin account.
  2. In ITSI, click Configure > Entities.
  3. Click Manage Integrations.
  4. Disable Integrate entities so ITSI has the latest entity information and Integrate alerts so you can manage all alerts in ITSI option.
  5. Click Save.
    ITSI will no longer receive updated entity and alert information from Splunk App for Infrastructure. However, the entities and alerts that were already imported remain. You must delete them manually in ITSI if you no longer want them.

How the integration works

A modular input called "Splunk App for Infrastructure - Entity Migration" publishes entities from the Splunk App for Infrastructure to the entity exchange.

A modular input called "IT Service Intelligence Entity Exchange Consumer Modular Input" enables ITSI to consume the entities from the entity exchange. This modular input runs on a regular interval as defined in SA-ITOA/Default/inputs.conf (default is every 300 seconds). This modular input is enabled by default and you don't need to take any action to make it work. 

[itsi_entity_exchange_consumer://itsi_entity_exchange_consumer1]
interval = 300

Performance considerations

By default, the entity integration imports up to 50,000 entities from the Splunk App for Infrastructure. If you have more than 50,000 entities in Splunk App for Infrastructure, only the first 50,000 import into ITSI.

To import more than 50,000 entities, increase the max_rows_per_query setting in $SPLUNK_HOME/etc/apps/SA-ITOA/local/limits.conf under the [kvstore] stanza to be higher than the number of entities in the Splunk App for Infrastructure. 

[kvstore]
# The maximum number of rows that will be returned for a single query to a collection.
# If the query returns more rows than the specified value, then returned result set 
will contain the number of rows specified in this value.
# Default: 50000
max_rows_per_query = 50000

See also

Last modified on 21 October, 2019
PREVIOUS
Overview of integrating the Splunk App for Infrastructure with ITSI 		  NEXT
Integrate entities from the Splunk App for Infrastructure with ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters