The following are the spec and example files for
# Copyright (C) 2005-2020 Splunk Inc. All Rights Reserved. # This file contains attributes and values for configuring the IT Service # Intelligence (ITSI) app. # # There is an itsi_settings.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/. # To set custom configurations, place an itsi_settings.conf in # $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk software to enable # configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles # # CAUTION: You can drastically affect your Splunk installation by changing these settings. # Consult technical support (http://www.splunk.com/page/submit_issue) if you are not sure how # to configure this file.
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top # of the file. # * Each .conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in the # file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence.
* 'app' is the ID for the app containing the datamodel. blacklist = <datamodel_names_list> * A pipe-separated list of data model external authentication interface (EAI) names (IDs) to blacklist. * NOTE: Data model names do not contain pipe characters. * The blacklisted data models will not be supported and remain hidden from the ITSI UI.
show_migration_message = <boolean> * Removes Cloud migration messages about deprecated files or apps from the logs because this process is done internally.
* Defines settings related to ITSI backup/restore. job_queue_timeout = <seconds> * The amount of time, in seconds, before the backup/restore job queue times out if the node owning the job has been down for too long to allow other jobs to proceed. * The minimum supported timeout period is 3600 seconds (1 hour). The system sets the timeout to 3600 seconds when a value lower than this is set. * Default: 43200 (12 hours)
* Defines limits for import behavior. import_batch_size = <integer> * The number of rows or objects that the importer should analyze before attempting a save to the KV store. * Default: 1000 preview_sample_limit = <integer> * The maximum number of rows that are returned from a preview request for a pending import. * Default: 100 asynchronous_processing_threshold = <integer> * The number of rows after which the bulk importer reads and stores the inbound content so that it can be processed at a more convenient time, rather than processing it immediately.
* Defines backfill settings. pre_calculation_window = <seconds> * The size, in seconds, of the pre-calculation window for metric backfill. * The smallest accepted value is 1. Increasing this value makes the backfill search faster, but less accurate. * Default: 1
* Defines Splunk App for Infrastructure (SAI) settings. show_detection_modal = <boolean> * Whether or not to show the Splunk App for Infrastructure integration modal when the Service Analyzer loads. * If "1", ITSI displays the integration modal. * If "0", ITSI does not display the integration modal. * Default: 1
disabled = <boolean> * Indicates whether KPI saved searches have a randomized schedule or the same schedule. * If "1", KPI saved searches run at staggered times throughout the scheduled interval. * If "0", KPI saved searches all run at the same time during each scheduled interval. * CAUTION: Changing this value to "0" can have a significant performance impact. KPI saved * searches are designed to run at different times to prevent the search scheduler from becoming overloaded. * Default = 1
timeout_read = <seconds> * The maximum number of seconds that an ITSI custom search command will attempt to read a chunk from the "chunked" custom search command protocol. * Default: 3600
* Enables the ability to dispatch actions from a Splunk instance to be executed on another instance. * Configure these settings in this stanza if you want to specify whether this Splunk instance will read actions and execute actions from another instance or dispatch actions to another Splunk instance. * The settings in this stanza define the host's role. If configured as an 'executor' they also define the URI and username of the host for consuming Event Analytics episode actions. role = <executor|manager|both> * Whether the machine is executing actions, running core event analytics services, or both. * If "executor", the host is only executing actions. * If "manager", the host is only running core event analytics services. * Default: both remote_ea_mgmt_uri = <string> * The Splunkd management URI from which to pull action jobs, in addition to other core event analytics services. * The URI must include a scheme, host, and port. * If an empty string, ITSI uses the local Splunk address to avoid the necessity of an update if a custom port or scheme is in use on the local Splunk instance. * This setting is only required if 'role' is set to "executor". * Default: empty string remote_ea_username = <string> * The username to use when communicating with the remote host for actions and updates. * If you're on localhost, ITSI always uses the past session from Splunkd (the provided username is ignored in this case). * This setting is only required if 'role' is set to "executor". * Default: empty string
service_template_sync_in_progress = <boolean> * Whether a service template is currently syncing. * If "1", at least one service template is syncing and it is not safe to upgrade. * If "0", no service templates are syncing and it is safe to upgrade. * CAUTION: Do not change this setting. It is updated dynamically by ITSI. * Default: 0
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.7.0