Before you upgrade IT Service Intelligence
Perform the steps in this topic before you upgrade IT Service Intelligence (ITSI) to the latest release. Splunk Cloud Platform customers have to work with Splunk Support to coordinate upgrades to ITSI. Version 4.8.x supports upgrading from version 4.5.x or later. To upgrade from earlier versions, perform intermediary upgrades.
Remove episode lookup entries from transforms.conf
Version 4.6.0 updated the notable event system KV store collection in transforms.conf with the following fields:
Before upgrading to version 4.6.0 or later from a pre-4.6.0 version, remove any entries for
itsi_notable_group_system_lookup in your local transforms.conf so these fields can be populated in the system KV store collection.
In addition, the
instructions field was added to the
itsi_notable_group_user KV store collection in version 4.5.0. Before upgrading to version 4.5.0 or later from a pre-4.5.0 version, remove any entries for
itsi_notable_group_user_lookup in your local transforms.conf so this value can be populated in the user KV store collection.
Make sure no service templates are syncing
If any service templates are syncing when you upgrade ITSI, the upgrade fails. Check the sync status of service templates by clicking Configuration > Service Templates from the ITSI main menu.
Check admin role inheritance
Make sure the Splunk
admin role inherits from the
itoa_admin role. The default settings for admin role inheritance for ITSI are contained in authorize.conf. Problems can occur when these settings have been modified in a local version of the file.
Check KV store size limits
The limit of a single batch save to a KV store collection is 500 MB. Check the total amount of data that your services contain, and, if necessary, increase the KV store size limit in
$SPLUNK_HOME/etc/apps/SA-ITOA/local/limits.conf. This setting controls the maximum size, in megabytes (MB), of the results that are returned for a single query to a collection.
- Only users with file system access, such as system administrators, can increase the KV store size limit.
- Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.
- Open or create a local limits.conf file in
- Increase the
max_size_per_result_mbvalue in the [kvstore] stanza:
[kvstore] max_size_per_result_mb = [new value]
Review known issues and changes
Review the following topics before you upgrade ITSI:
- Compatible versions of the Splunk platform. See Splunk Enterprise system requirements.
- Hardware requirements. See Planning your hardware requirements.
- Known issues with the latest release of IT Service Intelligence. See Known issues in Splunk IT Service Intelligence in the Release Notes.
- Removed features in the latest release of IT Service Intelligence. See Removed features in the Release Notes.
Recommendations for upgrading IT Service Intelligence
Upgrade both the Splunk platform and IT Service Intelligence in the same maintenance window. See the Splunk Enterprise system requirements to verify which versions of Splunk ITSI and Splunk Enterprise are supported with each other.
If you're upgrading to the Python 3 release of Splunk Enterprise (version 8.x), you must upgrade ITSI and all other apps before upgrading Splunk Enterprise. For more information, see Python 3 migration with ITSI.
- Upgrade Splunk Enterprise to a compatible version.
- Upgrade Splunk platform instances.
- Upgrade Splunk IT Service Intelligence.
- Review, upgrade, and deploy add-ons.
- See Version-specific upgrade notes for post-installation tasks.
Upgrading ITSI deployed on a search head cluster is a multi-step process. The procedure is detailed in Upgrade IT Service Intelligence in a search head cluster environment in this manual.
Uninstall Splunk IT Service Intelligence
Steps to address the Apache Log4j vulnerabilities in ITSI or IT Essentials Work
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.8.0 Cloud only, 4.8.1 Cloud only