Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Upgrade from a previous version of the Content Pack for ITSI Monitoring and Alerting

If you have installed a previous version of the content pack, you can upgrade to the latest version.

The new version of the content pack contains non-passive changes, which will cause downtime for content pack functionality during the upgrade. You won't receive notable events and episodes for your services and KPIs until the upgrade is complete.

Review and understand the upgrade steps before you begin.

  1. Make a note of which objects from the previous content pack version you have customized or enabled.
  2. Clone customized objects.
  3. Upgrade to the latest version of the content pack add-on from Splunkbase.
  4. Upgrade to the latest version of the ITSI content pack backup file.
  5. Manually review and reapply prior modifications to the updated content pack objects.
  6. Manually reenable the appropriate content pack objects.


Create a full backup of your ITSI environment in case you need to revert the upgraded version later. For more information, see Create a full backup in the Administer Splunk IT Service Intelligence manual.

Step 1: Note all customized or enabled content pack objects

ITSI restores will both overwrite and disable any objects from the restore file that also exist in your ITSI environment. Before you upgrade, you must identify all customized and enabled components. ITSI uses the name of the object to detect existing objects (for example, the name of the correlation search). Review the release notes for this content pack to see which ITSI objects are in the content pack, and identify any objects that you've enabled, as well as any objects that you've modified and customized. In the remaining upgrade steps, you will need to refer back to this list of objects for further action.

Step 2: (Optional) Clone customized objects from the original content pack

Cloning a customized object from the original content pack allows you to save the modified object under a new name, which ensures that your changes are not be lost after the upgrade. Keep the cloned objects disabled. They exist only to allow you to perform a manual review of the updated content pack objects with your customizations to determine what changes to reincorporate after the upgrade.

Step 3: Upgrade the content pack add-on

Upgrade the supporting add-on from Splunkbase to the latest version on your search head running ITSI. You don't need to restart Splunk software unless it's specifically indicated after the installation process.

Step 4: Upgrade the ITSI content pack

Follow the instructions in Step 4: Install the content pack.

Step 5: Reapply prior customizations to the upgraded content pack objects

Based on prior customizations to the content pack objects that you identified before you began the upgrade process, you might need to reapply those customizations to the upgraded objects. Review modification from the cloned objects as well as the release notes to reapply customizations as necessary. When you are satisfied that prior customizations are appropriately integrated into the latest version of the content pack objects, you can remove any objects you cloned.

Step 6: Enable previously active content pack objects

After the upgrade, all previously enabled content pack objects are disabled, so you must enable the correct objects again to restore content pack functionality. Based on the content pack objects that were enabled before the upgrade, as well as any new functionality you want to begin using with the upgraded content pack version, evaluate and enable the appropriate objects.

Last modified on 27 October, 2021
Install and configure the Content Pack for ITSI Monitoring and Alerting
Configure alerts in the Content Pack for ITSI Monitoring and Alerting

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters