Splunk® IT Service Intelligence

Modules

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.3.x will no longer be supported as of July 17, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
Acrobat logo Download topic as PDF

Edit or remove the default module content shipped with ITSI

IT Service Intelligence (ITSI) ships with preconfigured module base searches and SAI service templates. By default, you can't tune the base searches and service templates to fit your environment. This topic describes how to make this content editable so you can tune it through the UI. You can also choose to remove this content if you never use it.

The following instructions pertain to a standalone search head deployment. If you have a search head cluster environment, you must make the file changes on the deployer and deploy them to cluster members. Make all UI changes on the individual cluster members.

Prerequisites

  • Only users with file system access, such as system administrators, can remove module base searches and service templates.
  • Begin with a full installation of ITSI. Make sure that all add-ons and their configuration files are intact.

Steps

The changes described in this section don't persist through an ITSI upgrade. After you make these changes, follow the instructions in the next section during future upgrades.

  1. To make SAI content editable, open $SPLUNK_HOME/etc/apps/SA-ITOA/default/itsi_base_service_template.conf and remove all lines reading _immutable = true
  2. Restart Splunk software. During the restart, each KV store artifact that originated from an ITSI add-on is updated to allow write access.
  3. (Optional) Verify that the changes worked by removing an unused ITSI KPI base search. For example DA-ITSI-EUEM*.
  4. Remove the following configuration files that load the preconfigured content into the KV store:
    cd $SPLUNK_HOME/etc/apps/
    rm DA-ITSI-*/default/itsi_kpi_template.conf
    rm DA-ITSI-*/default/itsi_kpi_base_search.conf
    rm DA-ITSI-*/default/itsi_service_template.conf
    rm SA-ITOA/default/itsi_base_service_template.conf
    rm SA-ITOA/default/itsi_kpi_base_search.conf
  5. Restart Splunk software.

The module-provided KPI base searches and SAI service templates are now fully editable. You can tune these base searches as desired.

It's a best practice to remove unwanted KPI base searches and service templates. The UI prevents the inadvertent removal of any base search that is currently in use.

Prevent content from loading during future upgrades

For new environments, or for environments where you've already performed the steps above, follow these instructions during all future installations and upgrades to prevent immutable content from reloading.

  1. Stop your Splunk software.
  2. Install or upgrade ITSI. Do not start Splunk software after the install or upgrade completes.
  3. Remove the following configuration files:
    cd $SPLUNK_HOME/etc/apps/
    rm DA-ITSI-*/default/itsi_kpi_template.conf
    rm DA-ITSI-*/default/itsi_kpi_base_search.conf
    rm DA-ITSI-*/default/itsi_service_template.conf
    rm SA-ITOA/default/itsi_base_service_template.conf 
    rm SA-ITOA/default/itsi_kpi_base_search.conf
  4. Start your Splunk software.
Last modified on 08 February, 2021
PREVIOUS
ITSI module release notes
 

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters