Splunk® IT Service Intelligence

Modules

Download manual as PDF

Download topic as PDF

Edit or remove the default module content shipped with ITSI

IT Service Intelligence (ITSI) ships with preconfigured module base searches and SAI service templates. By default, you can't tune the base searches and service templates to fit your environment. This topic describes how to make this content editable so you can tune it through the UI. You can also choose to remove this content if you never use it.

The following instructions pertain to a standalone search head deployment. If you have a search head cluster environment, you must make the file changes on the deployer and deploy them to cluster members. Make all UI changes on the individual cluster members.

Prerequisites

  • Only users with file system access, such as system administrators, can remove module base searches and service templates.
  • Begin with a full installation of ITSI. Make sure that all add-ons and their configuration files are intact.

Steps

The changes described in this section don't persist through an ITSI upgrade. After you make these changes, follow the instructions in the next section during future upgrades.

  1. To make add-on content editable, open $SPLUNK_HOME/etc/apps/SA-ITOA/lib/itsi/itsi_utils.py and change line 1369 to read normalized_setting['_immutable'] = 0.
  2. To make SAI content editable, open $SPLUNK_HOME/etc/apps/SA-ITOA/default/itsi_base_service_template.conf and remove all lines reading _immutable = true
  3. Restart Splunk software. During the restart, each KV store artifact that originated from an ITSI add-on is updated to allow write access.
  4. (Optional) Verify that the changes worked by removing an unused ITSI KPI base search. For example DA-ITSI-EUEM*.
  5. Remove the following configuration files that load the preconfigured content into the KV store:
    cd $SPLUNK_HOME/etc/apps/
    rm DA-ITSI-*/default/itsi_kpi_template.conf
    rm DA-ITSI-*/default/itsi_kpi_base_search.conf
    rm DA-ITSI-*/default/itsi_service_template.conf
    rm SA-ITOA/default/itsi_base_service_template.conf
    rm SA-ITOA/default/itsi_kpi_base_search.conf
  6. Restart Splunk software.

The module-provided KPI base searches and SAI service templates are now fully editable. You can tune these base searches as desired.

It's a best practice to remove unwanted KPI base searches and service templates. The UI prevents the inadvertent removal of any base search that is currently in use.

Prevent content from loading during future upgrades

For new environments, or for environments where you've already performed the steps above, follow these instructions during all future installations and upgrades to prevent immutable content from reloading.

  1. Stop your Splunk software.
  2. Install or upgrade ITSI. Do not start Splunk software after the install or upgrade completes.
  3. Remove the following configuration files:
    cd $SPLUNK_HOME/etc/apps/
    rm DA-ITSI-*/default/itsi_kpi_template.conf
    rm DA-ITSI-*/default/itsi_kpi_base_search.conf
    rm DA-ITSI-*/default/itsi_service_template.conf
    rm SA-ITOA/default/itsi_base_service_template.conf 
    rm SA-ITOA/default/itsi_kpi_base_search.conf
  4. Start your Splunk software.
Last modified on 23 June, 2020
PREVIOUS
ITSI module release notes
 

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters