Install and configure the Content Pack for Monitoring Splunk as a Service
Perform the following high-level steps to configure the Content Pack for Monitoring Splunk as a Service:
- Install the content pack on your ITSI search head.
- Remove unnecessary services.
- Import or update entities.
- Test the configuration.
- (Optional) Configure alerting.
- Tune KPI thresholds.
The Content Pack for Monitoring Splunk as a Service doesn't have team restrictions and is therefore available to the Global team. If you want to limit visibility to the content pack, create a new ITSI team and associate the services to the newly created team. For more information about teams, see Overview of teams in ITSI in the Service Insights manual.
All services and service templates in this content pack begin with the name
Splunk and base searches are prefaced with
SPLK for ease of filtering.
Take a full backup of your ITSI environment in case you need to uninstall the content pack later. For more information, see Create a full backup of ITSI in the Administration Manual.
Step 1: Install the content pack
If you're a Splunk Cloud Platform customer, you can install the content pack directly through the ITSI Content Library in a future release. You can also install content packs through the ITSI REST API. If you're an on-premises customer on a version lower than 4.8.0, see Install the content pack in an on-premises instance.
Install the content pack through the REST API
On ITSI version 4.8.x you can use the itoa_interface/content_pack endpoint to install content packs through the ITSI REST API. The endpoint includes GET operations to fetch versioning information and preview the contents of the content pack, and a POST operation to install content packs.
Install the content pack on an on-premises instance
Perform the following steps to install the content pack:
- Download the following ITSI backup file: BACKUP-CP-SPLUNK-2.0.1.zip
- On your ITSI search head, create a restore job and upload the backup file. For instructions, see Restore from a backup zip file.
- After the restore job completes, confirm that the objects included in the content pack are restored to your environment.
Step 2: Remove unnecessary services
Not all deployed environments have the full assortment of services represented in this content pack. After you install the content pack, go to Configuration > Services within ITSI and delete any services that don't exist in your environment.
Step 3: Import or update entities
To model your Splunk architecture, you need to import each piece of your Splunk infrastructure into ITSI as an individual entity. All services included in this content pack rely on the corresponding entity having an entity information field called
splunk_role. You need to include this field when you import your Splunk infrastructure. If your entities already exist, you need to add this field by re-importing them.
To create your Splunk entities, go to Configuratiion > Entities from the ITSI main menu. You can create entities manually for a smaller environment, or bulk import them from a CSV or Splunk search in a larger environment.
If using the bulk import method, perform the following steps:
- Create a Splunk table or a CSV file with the columns
- For each Splunk host you want to import, assign a role in the
splunk_rolecolumn for the the component of your Splunk architecture it corresponds to. This table lists the the
splunk_rolevalue needed for each type of host in order for it to be mapped to a service in the service tree.
Instance type splunk_role ITSI instances itsi Indexers indexer Cluster managers indexer_cluster_master Search heads search_head Clustered search heads search_head_cluster Deployment servers deployment_server License masters license_master Enterprise Security instances enterprise_security Heavy forwarders heavy_forwarder Management Console mgmt_console
- From the ITSI main menu, click Configuration > Entities.
- Click Create entity and import your entities using one of the following methods:
In the Import Column As step of the import, configure the following column types:
Column Column type host Entity Title splunk_role Entity Information Field
Step 4: Test the configuration
After you install the content pack and import your entities, make sure everything is set up correctly. Click Service Analyzer from the ITSI main menu and confirm you see a service tree similar to the following:
Step 5: (Optional) Configure alerting
The Content Pack for Monitoring Splunk as a Service is designed to integrate with the Content Pack for Monitoring and Alerting. It's a best practice to use the Content Pack for Monitoring and Alerting to receive proactive notifications on service, entity, and KPI degradations. For installation and configuration steps, see Install and configure the Content Pack for Monitoring and Alerting.
Step 6: Tune KPI thresholds
You need to configure thresholds for the KPIs included in this content pack based on your Splunk environment. Some KPIs, such as basic performance counters like CPU utilization, have universal best practices for threshold configuration. Others, like the number of forwarders, are very specific to your deployment. For instructions to configure KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights manual.
Consider leveraging machine learning algorithms to determine environment-specific thresholds. For instructions to configure time-based or adaptive KPI thresholds, see Overview of advanced thresholding in ITSI in the Service Insights manual. If you perform advanced thresholding on your KPIs, make sure to revisit them after a week to make sure the learning period is representative of a typical healthy week.
Release notes for the Content Pack for Monitoring Splunk as a Service
KPI reference for the Content Pack for Monitoring Splunk as a Service
This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current