Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.4.x will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Dispatch episode actions to a remote ITSI instance

Dispatch episode actions on-premises from a Splunk Cloud instance using hybrid action dispatching. You can configure your on-premises instance to connect to the cloud and get the required information to run the action. Actions include updating the status, severity, and owner of episodes, adding comments, linking tickets, sending an email, pinging a host, and any other custom actions you've configured.

Hybrid action dispatching involves configuring your cloud instance as the Master node and your on-premises instance as the Executor node.

Node role Description
Master The node running core Event Analytics functionality. Configure aggregation policies and trigger actions from the Master node.
Executor The node where actions run. The Executor node receives actions dispatched from the Master node and executes them.

The following tasks are meant to configure your cloud instance as the Master node and your on-premises instance as the Executor node. However, you can configure both roles on on-premises instances if needed.

Prerequisites

    • You must have the admin or itoa_admin role to configure action dispatching.
    • If an action is configured on the Master node, it must also be configured on the Executor node. If there is a mismatch, the Master node might be able to configure actions that don't exist on the Executor. For information about configuring ServiceNow, VictorOps, and Remedy actions, see Take action on an episode in ITSI in the User IT Service Intelligence manual.

Configure the cloud search head as the Master node

Configure the cloud search head as the Master node. This is the node running core Event Analytics functionality.

1. Create an account on the Master node

Configure a user with the itoa_admin role on the cloud search head.

  1. Click Settings > Access controls.
  2. In the Users row, click +Add New.
  3. Type a name and password.
  4. In the Available item(s) list, click itoa_admin to add it to the Selected Item(s) list.
  5. Click Save.

2. Configure the Master node

Configure the cloud search head as the Master node.

  1. On the Master node, click Configure > Hybrid Action Dispatching.
  2. Set the node's role to Master.
  3. Click Save.

3. Disable action execution on the Master node

The ITSI actions queue consumers process KV store data and executes episode actions. Disable this component on the Master node so dispatched actions don't run locally.

  1. On the Master node, click Settings > Data inputs.
  2. Open the IT Service Intelligence Actions Queue Consumer.
  3. Click Disable in the Status column of the alpha, beta, and gamma instances to disable them.

4. Configure receiving on the Master node

Configure the master node to receive all action execution information from the Executor node.

  1. On the Master node, click Settings > Forwarding and receiving.
  2. Click Configure receiving.
  3. Click New Receiving Port.
  4. Add the TCP port number of the on-premises instance that will execute actions.
  5. Click Save.

Configure the on-premises search head as the Executor node

Configure the on-premises search head as the Executor node. This is the node that executes episode actions. The Executor makes outbound communication on port 8089 to the cloud search head (Master node), pulling data from the Master node.

You do not need to open any inbound ports. The Executor pushes data to the Master node by configuring forwarding on the port you specify.

5. Configure the Executor node

Assign the on-premises search head as the Executor node and configure the remote instance credentials.

  1. On the Executor node, click Configure > Hybrid Action Dispatching.
  2. Set the node's role to Executor.
  3. Configure the following settings:
    Setting Description
    URI The location of the Master node running core Event Analytics services. The URI must point to the management port 8089 (by default) of the Splunk platform instance and include a scheme, host, and port.
    Username The username that you configured when you created an account on the Master node.
    Password The password used to log in to the Master node.
  4. Click Save.
  5. Restart the Executor node to point the Action Queue Consumer to the Master node.

6. Disable the Rules Engine on the Executor node

Disable the Rules Engine on the Executor node so it doesn't run locally.

  1. On the Executor node, click Settings > Searches, reports, and alerts.
  2. Change the App: context to All.
  3. Search for the itsi_event_grouping search. The Rules Engine runs when this search is enabled.
  4. In the Actions column, click Edit > Disable to disable the Rules Engine,

7. Configure forwarding on the Executor node

Configure forwarding on the Executor node so that it can send action execution information to the Master node.

  1. On the Executor node, click Settings > Forwarding and receiving.
  2. Click Configure forwarding.
  3. Click New Forwarding Host.
  4. Enter the host and port number of the Master node.
  5. Click Save.

8. Make sure the action queue consumers are running on the Executor node

Perform the following steps on the Executor node:

  1. On the Executor node, click Settings > Data inputs.
  2. Open the IT Service Intelligence Actions Queue Consumer.
  3. Make sure the alpha, beta, and gamma instances show Enabled in the Status column. If not, enable them.

9. (Optional) Enable additional action queue consumers

ITSI provides five preconfigured action queue consumers with only three enabled by default. If actions show high latency (30+ seconds to run an action), enable more action queue consumers. For scaling purposes you can enable additional consumers on a single instance first. If you need additional action throughput, consider scaling out to a second executor node.

The default settings for action queue consumers, such as execution delay time and batch size, can support most ITSI environments. If your environment generates very high throughput, such as 1000 or more actions per minute, consider increasing the batch size for your action queue consumers.

Confirm setup

To confirm that you've successfully configured hybrid action dispatching, execute an action from the Master node. After the action runs, it should appear in the Activity tab of the episode.

Last modified on 21 December, 2020
PREVIOUS
Enable bidirectional ticketing with ServiceNow in ITSI 		  NEXT
Ingest third-party alerts as ITSI notable events

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters