Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install and configure the Content Pack for Monitoring Splunk as a Service

Perform the following high-level steps to configure the Content Pack for Monitoring Splunk as a Service:

  1. Install the content pack on your ITSI search head.
  2. Remove unnecessary services.
  3. Import or update entities.
  4. Test the configuration.
  5. (Optional) Configure alerting.
  6. Tune KPI thresholds.

Installation considerations

The Content Pack for Monitoring Splunk as a Service doesn't have team restrictions and is therefore available to the Global team. If you want to limit visibility to the content pack, create a new ITSI team and associate the services to the newly created team. For more information about teams, see Overview of teams in ITSI in the Service Insights manual.

All services and service templates in this content pack begin with the name Splunk and base searches are prefaced with SPLK for ease of filtering.

Prerequisite

Take a full backup of your ITSI environment in case you need to uninstall the content pack later. For more information, see Create a full backup of ITSI in the Administration Manual.

Step 1: Install the content pack

If you're a Splunk Cloud Platform customer, you can install the content pack directly through the ITSI Content Library in a future release. You can also install content packs through the ITSI REST API. If you're an on-premises customer on a version lower than 4.8.0, see Install the content pack in an on-premises instance.


Install the content pack through the REST API

On ITSI version 4.8.x you can use the itoa_interface/content_pack endpoint to install content packs through the ITSI REST API. The endpoint includes GET operations to fetch versioning information and preview the contents of the content pack, and a POST operation to install content packs.

Install the content pack on an on-premises instance

Perform the following steps to install the content pack:

  1. Download the following ITSI backup file: BACKUP-CP-SPLUNK-2.0.1.zip
  2. On your ITSI search head, create a restore job and upload the backup file. For instructions, see Restore from a backup zip file.
  3. After the restore job completes, confirm that the objects included in the content pack are restored to your environment.

Step 2: Remove unnecessary services

Not all deployed environments have the full assortment of services represented in this content pack. After you install the content pack, go to Configuration > Services within ITSI and delete any services that don't exist in your environment.

Step 3: Import or update entities

To model your Splunk architecture, you need to import each piece of your Splunk infrastructure into ITSI as an individual entity. All services included in this content pack rely on the corresponding entity having an entity information field called splunk_role. You need to include this field when you import your Splunk infrastructure. If your entities already exist, you need to add this field by re-importing them.

To create your Splunk entities, go to Configuratiion > Entities from the ITSI main menu. You can create entities manually for a smaller environment, or bulk import them from a CSV or Splunk search in a larger environment.

If using the bulk import method, perform the following steps:

  1. Create a Splunk table or a CSV file with the columns host and splunk_role.
  2. For each Splunk host you want to import, assign a role in the splunk_role column for the the component of your Splunk architecture it corresponds to. This table lists the the splunk_role value needed for each type of host in order for it to be mapped to a service in the service tree.
    Instance type splunk_role
    ITSI instances itsi
    Indexers indexer
    Cluster managers indexer_cluster_master
    Search heads search_head
    Clustered search heads search_head_cluster
    Deployment servers deployment_server
    License masters license_master
    Enterprise Security instances enterprise_security
    Heavy forwarders heavy_forwarder
    Management Console mgmt_console
  3. From the ITSI main menu, click Configuration > Entities.
  4. Click Create entity and import your entities using one of the following methods:

    In the Import Column As step of the import, configure the following column types:

    Column Column type
    host Entity Title
    splunk_role Entity Information Field

Step 4: Test the configuration

After you install the content pack and import your entities, make sure everything is set up correctly. Click Service Analyzer from the ITSI main menu and confirm you see a service tree similar to the following:

SatSservicetree2.png

Step 5: (Optional) Configure alerting

The Content Pack for Monitoring Splunk as a Service is designed to integrate with the Content Pack for Monitoring and Alerting. It's a best practice to use the Content Pack for Monitoring and Alerting to receive proactive notifications on service, entity, and KPI degradations. For installation and configuration steps, see Install and configure the Content Pack for Monitoring and Alerting.

Step 6: Tune KPI thresholds

You need to configure thresholds for the KPIs included in this content pack based on your Splunk environment. Some KPIs, such as basic performance counters like CPU utilization, have universal best practices for threshold configuration. Others, like the number of forwarders, are very specific to your deployment. For instructions to configure KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights manual.

Consider leveraging machine learning algorithms to determine environment-specific thresholds. For instructions to configure time-based or adaptive KPI thresholds, see Overview of advanced thresholding in ITSI in the Service Insights manual. If you perform advanced thresholding on your KPIs, make sure to revisit them after a week to make sure the learning period is representative of a typical healthy week.

Last modified on 21 July, 2021
PREVIOUS
Release notes for the Content Pack for Monitoring Splunk as a Service
  NEXT
KPI reference for the Content Pack for Monitoring Splunk as a Service

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters