Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Migrate from the Content Pack for Splunk Infrastructure Monitoring to the Content Pack for Splunk Observability Cloud

The Content Pack for Splunk Infrastructure Monitoring was replaced by the Content Pack for Splunk Observability Cloud in version 1.4.0 of the Splunk App for Content Packs. If you were using the Content Pack for Splunk Infrastructure Monitoring follow these steps to migrate to the Content Pack for Splunk Observability Cloud.

Prerequisite

Create a full backup of your ITSI environment. For more information, see Create a full backup in the Administration Manual.

Step 1: Disable the content pack app

  1. Go to Apps > Manage Apps
  2. Search for "Splunk Infrastructure Monitoring".
  3. Locate Folder Name: DA-ITSI-CP-splunk-infra-monitoring and select Disable under Status.

Disabling the app will also disable the saved entity searches.

Step 2: Remove Content Pack for Splunk Infrastructure Monitoring objects

There are two options to remove the content pack objects:

  1. Remove through the ITSI user interface.
  2. Use REST API calls. This approach is faster.

Option 1: Remove the Content Pack for Splunk Infrastructure Monitoring objects through the ITSI user interface

Step 1: Remove the Content Pack for Splunk Infrastructure Monitoring entities

  1. From the ITSI menu go to Configuration > Entities.
  2. Under Advanced Filter create this filter rule. Repeat for each filter value listed:
    • Filter: info
    • Field name: entity_type
    • Field values: AWS EC2, AWS Lambda, Azure Functions, Azure Virtual Machines, GCP Cloud Functions, GCP Compute Engine.
  3. Select all entities and select Bulk Action > Delete selected.

The list of entities is paginated. Be sure to delete all entities.

Step 2: Remove the Content Pack for Splunk Infrastructure Monitoring entity types

  1. From the ITSI menu go to Configuration > Entities.
  2. Go to the Entity Type tab.
  3. For each of these entity types, select Edit > Delete.
    • AWS EC2
    • AWS Lambda
    • Azure Functions
    • Azure Virtual Machines
    • Google Cloud Functions
    • Google Compute Engine
    • Splunk Infrastructure Monitoring

Step 3: Remove the Content Pack for Splunk Infrastructure Monitoring services

  1. From the ITSI menu go to Configuration > Services.
  2. Select Edit > Delete for each of these services and any others you might have created:
    • AWS
    • AWS EC2
    • AWS Lambda
    • Azure
    • Azure Functions
    • Azure VM
    • Cloud
    • GCP
    • Google Cloud Functions
    • Google Compute Engine

Step 4: Remove the Content Pack for Splunk Infrastructure Monitoring KPI base searches

  1. From the ITSI menu go to Configuration > KPI Base Searches.
  2. Search for "SIM".
  3. Select Edit > Delete for each of these KPI base searches and any others you might have created:
    • SIM:Cloud.AWS_EC2
    • SIM:Cloud.AWS_Lambda_Cloudwatch
    • SIM:Cloud.Azure_Functions
    • SIM:Cloud.Azure_VM
    • SIM:Cloud.GCP_Compute
    • SIM:Cloud.GCP_Functions_Stackdriver

Step 5: Remove the Content Pack for Splunk Infrastructure Monitoring aggregation policies

  1. From the ITSI menu go to Configuration > Notable Event Aggregation Policies.
  2. Search for "SIM".
  3. Select Edit > Delete for each of these correlation searches and any others you might have created:
    • SIM AWS EC2 Alerts
    • SIM Azure VM Alerts
    • SIM GCP Compute Engine Alerts

Option 2: Use REST API calls to remove the Content Pack for Splunk Infrastructure Monitoring objects

If you have a lot of entities, deleting objects via the API is faster.

For each REST API call, use GET to verify only the desired objects are returned for the Content Pack for Splunk Infrastructure Monitoring. The REST API calls should be made in order. For information on the Splunk ITSI REST API, see the ITSI REST API Reference manual.

  1. Verify the Content Pack for Splunk Infrastructure Monitoring entities.
    curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity/?filter={"entity_type_ids":{"$regex":"da-itsi-cp-splunk-infra-monitoring.*"}}'
  2. Remove the Content Pack for Splunk Infrastructure Monitoring entities.
    curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity/?filter={"entity_type_ids":{"$regex":"da-itsi-cp-splunk-infra-monitoring.*"}}'
  3. Verify the Content Pack for Splunk Infrastructure Monitoring entity types.
    curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_entity_type?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
  4. Remove the Content Pack for Splunk Infrastructure Monitoring entity type.
    curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_entity_type?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
  5. Verify the Content Pack for Splunk Infrastructure Monitoring services, KPIs, and KPI base searches.
    curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
  6. Remove the Content Pack for Splunk Infrastructure Monitoring services, KPIs, and KPI base searches.
    curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services?query={"source_itsi_da":"DA-ITSI-CP-splunk-infra-monitoring"}'
  7. Verify the Content Pack for Splunk Infrastructure Monitoring Notable Event Aggregation Policies.
    curl -k -u admin:password -X GET 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_notable_event_aggregation_policy?query={"_key":{"$regex":"(?i)^da-itsi-cp-splunk-infra-monitoring-sim"}}'
  8. Remove the Content Pack for Splunk Infrastructure Monitoring Notable Event Aggregation Policies.
    curl -k -u admin:password -X DELETE 'https://<Splunk server>:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_notable_event_aggregation_policy?query={"_key":{"$regex":"(?i)^da-itsi-cp-splunk-infra-monitoring-sim"}}'

Step 3: Remove the Content Pack for Splunk Infrastructure Monitoring correlation searches

  1. From the ITSI menu go to Configuration > Correlation Searches.
  2. Search for "Splunk Infrastructure Monitoring Events".
  3. Select Edit > Delete for each of these correlation searches and any others you might have created:
    • Splunk Infrastructure Monitoring Events AWS EC2 Search
    • Splunk Infrastructure Monitoring Events Azure VM Search
    • Splunk Infrastructure Monitoring Events GCP Compute Engine Search

Step 4: Install the Content Pack for Splunk Observability Cloud

Once you have deleted all the objects from the Content Pack for Splunk Infrastructure Monitoring, you can install the Content Pack for Observability Cloud. See the Install and configure the Content Pack for Splunk Observability Cloud topic for installation steps.

Last modified on 27 October, 2021
PREVIOUS
Use the Content Pack for Splunk Observability Cloud
  NEXT
Migrate from the Content Pack for Splunk Synthetic Monitoring to the Content Pack for Splunk Observability Cloud

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters