Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Install and configure the Content Pack for Monitoring Phantom as a Service

Perform the following high-level steps to configure the content pack:

  1. Install the content pack on your search head.
  2. Review and edit the search macro to include all indexes you're using for the KPIs within the Phantom services.
  3. Tune KPI threshold levels.
  4. Configure alerting and notification settings.


Step 1: Install the content pack

If you're a Splunk Cloud Platform customer, you can install the content pack directly through the ITSI Content Library in a future release. You can also install content packs through the ITSI REST API. If you're an on-premises customer on a version lower than 4.8.0, see Install the content pack in an on-premises instance.

Install the content pack through the REST API

On ITSI version 4.8.x you can use the itoa_interface/content_pack endpoint to install content packs through the ITSI REST API. The endpoint includes GET operations to fetch versioning information and preview the contents of the content pack, and a POST operation to install content packs.

Install the content pack on an on-premises instance

Perform the following steps to install the content pack:

  1. Download the following ITSI backup file: BACKUP-CP-PHANTOM-1.0.1.zip.
  2. On your ITSI search head, create a restore job and upload the backup file. For instructions, see Restore from a backup zip file.
  3. After the restore job completes, confirm that the objects included in the content pack are restored to your environment.

Step 2: Configure Phantom services

This content pack ships with the following services:

  • Splunk Phantom - OS
  • Splunk Phantom - Application

Splunk Phantom - OS

The Splunk Phantom - OS service uses entity filtering to filter entities to it. For more information about entity filtering, see Split and filter a KPI by entities in ITSI in the Service Insights manual.

Perform the following steps to create a Phantom service for OS monitoring:

  1. In ITSI, click Configuration > Services.
  2. Open the Splunk Phantom - OS service.
  3. Click the Entities tab.
  4. In the Alias host matches field, list each of the Phantom servers you plan to monitor.
  5. Review the list of matched entities and make sure you see one entity for each Phantom server.
  6. Click Save to save the service configuration.

For more information about configuring entity rules, see Define entity rules for a service in ITSI in the Service Insights manual.

Splunk Phantom - Application

The Splunk Phantom - Application service is for application-level KPIs.

Step 3: Tune KPI thresholds

After you configure your Phantom services, you must tune the thresholds within each Phantom KPI to meet the specifics of your environment. It's best to do this when you have at least a week of data in your Phantom environment.

First, review every KPI to determine whether it's one that you think will be helpful in identifying if your Phantom service is degraded. If the KPI doen't turn out to be a good indicator of service degradation, it's best to remove it to keep your implementation simple. This also makes it easier to find the information that will help lead you to the insight you're looking for.

Review and refine every KPI threshold to ensure the best accuracy of service health scores and creation of notable events. Use the following resources to configure KPI thresholds:

Step 4: Configure alerting and notification settings

Configure ITSI to send you alerts when one or more KPIs are experiencing a sustained degradation.

Next steps

Now that you've completed the installation and configuration steps, continue to Use the Content Pack for Monitoring Phantom as a Service.

Last modified on 21 July, 2021
Data requirements for the Content Pack for Monitoring Phantom as a Service
Use the Content Pack for Monitoring Phantom as a Service

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters