Configure multiple ITSI deployments to use the same indexing layer
You can deploy separate non-clustered ITSI search heads for different purposes that forward data to the same indexers. For example, you can use one search head for production and a second search head for testing. You can also deploy separate search head clusters that use the same indexer cluster. In each case, the search heads must be running the same version of ITSI and Splunk Enterprise.
Before configuring multiple ITSI environments to search against the same indexing tier, you must first follow these steps to ensure that different ITSI environments don't end up inadvertently writing to the same ITSI indexes and polluting the results of your production environment.
High level steps:
- Create a new index for each of the five
anomaly_detectionindexes with the name of the environment appended to the original index name.
- Configure the ITSI search heads to write to the newly created indexes.
- Validate that your new environment is configured to write to the new indexes.
Step 1: Create new indexes
On each Splunk indexer, create a new index for each of the five
anomaly_detection indexes listed in
$SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf. Append the name of the environment to the original index name.
For more information, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Step 2: Configure search heads to write to new indexes
Perform one of the following steps depending on your deployment:
On each search head, create local versions of the following files. In each file, change the default ITSI index names to the new index names you want to use for the data from that search head:
For more information, see How to edit a configuration file in the Splunk Enterprise Admin Manual.
Search head cluster
Make the changes described in the non-clustered steps above on the deployer at
etc/shcluster/apps and push the changes to the cluster members. For more information, see Deploy a search head cluster in the Splunk Enterprise Distributed Search manual.
Step 3: Configure commands.conf
Skip this step if you're running a search head cluster.
On each search head, create a local version of the
commands.conf file in
$SPLUNK_HOME/etc/apps/SA-ITOA/local/. Add the following stanza to point to the local version of
Step 4: Restart Splunk software
Restart Splunk software or perform a rolling restart to put the changes into effect. For more information, see Restart the search head cluster in the Distributed Search manual.
Step 5: Confirm setup
On each search head, perform the following steps to confirm that searches are pointing to the correct indexes:
- Navigate to Settings > Data inputs > HTTP Event Collector. Look for the renamed index names for the five ITSI event management tokens with the following source types:
- Check the Event Analytics Audit dashboard to make sure the searches run as expected. For more information, see Event Analytics Audit dashboard in the Use Splunk IT Service Intelligence manual.
- Replace macro searches with the name of the renamed index. For example, the following searches should return the same events:
`itsi_event_management_index_with_close_events` | stats count AS events
index="<new name for itsi_tracked_alerts>" | stats count AS events
- Make sure the data is displaying as expected in service analyzers, deep dives, glass tables, and Episode Review.
- Verify that ITSI users can access the new indexes.
Install IT Service Intelligence in a search head cluster environment
Uninstall Splunk IT Service Intelligence
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1