Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install and configure the Content Pack for Shared IT Infrastructure Components

The Splunk App for Content Packs allows you to access content packs, preview their contents, and install them in your environment. The Splunk App for Content Packs includes the Content Pack forShared IT Infrastructure Components provided you are using ITSI version 4.9.0 or higher or IT Essentials Work version 4.9.0 or higher. If you are using ITSI version 4.8.x or lower, or IT Essentials Work version 1.0.x or lower, then you must install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work.

For a full list of the objects shipped in this content pack, see About the Content Pack for Shared IT Infrastructure Components.

Installation and configuration overview

Follow these high-level steps to configure the Content Pack for Shared IT Infrastructure Components:

  1. Install the Content Pack for Shared IT Infrastructure Components.
  2. Review past critical issues.
  3. Integrate the content pack with existing alerts.
  4. Configure a single service.

Prerequisites

  • Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
  • Take a full backup of your ITSI environment in case you need to uninstall the content pack later. See Create a full backup.

Install the Content Pack for Shared IT Infrastructure Components

You have two options for installing and configuring the Content pack for Shared IT Infrastructure Components:

  • One option is to install the content pack from the Splunk App for Content Packs. The Content Pack for Shared IT Infrastructure Components is included in the Splunk App for Content Packs if you are using ITSI version 4.9.x or IT Essentials Work version 4.9.x or higher.
  • Your second option is to install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work. You must choose this option if you are using ITSI version 4.8.x or lower or IT Essentials Work version 1.0.x or lower.

Install the content pack from the Splunk App for Content Packs

To install the Content Pack for Shared IT Infrastructure Components, you must install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Pack installation instructions.

The Content Pack for Shared IT Infrastructure Components contents are automatically installed and running once you install the Splunk App for Content Packs on the search head where you installed ITSI version 4.9.x or IT Essentials Work version 4.9.x.

After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Shared IT Infrastructure Components:

  1. From the ITSI or IT Essentials Work main navigation bar, click Configuration > Data Integrations.
  2. Click Add structure to your data.
  3. Select the Shared IT Infrastructure Components content pack.
  4. Review what's included in the content pack and click Proceed.
  5. Configure the content pack settings. Refer to the table that follows these steps for setting descriptions.
  6. When you've completed your selections, click Install selected.
  7. Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green checkmark on the Data Integrations page shows any other content packs you have installed.

Refer to the following table for content pack setting option descriptions:

Content pack setting Description
Choose which objects to install For a first-time installation, select the items you want to install and deselect any you do not want to install.

For an upgrade installation, the installer identifies which objects from the latest version of the content pack are new and which objects are currently in your environment. You can choose which objects to install from the new version.

Choose a conflict resolution rule for the objects you install: Install as new For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack.

When you install as new, objects are installed and any existing identical objects in your environment remain intact.

Choose a conflict resolution rule for the objects you install: Replace existing For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack.

When you replace existing, any existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.

Import as enabled Select whether to install objects as enabled or to leave them in their original state. Importing objects as disabled ensures your environment is not impacted from the addition of new content.

This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of the option you choose.

Add a prefix to new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you can prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects after installation.
Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Enable backfill if you want to configure adaptive thresholding and predictive analytics for the new services.

This setting only applies to KPIs, not service health scores.

Install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work

If you are using ITSI version 4.8.x or lower or IT Essentials Work version 1.0.x or lower, follow these steps to install the Content Pack for Shared IT Infrastructure Components.For instructions on restoring a backup, see Restore from a backup zip in the Administration Manual.

  1. Download the following ITSI backup file: BACKUP-CP-SHARED-INFRA-1.3.1.zip.
  2. On your ITSI search head, create a restore job and upload the backup file. Give the job the same name as the backup file you downloaded. For example, BACKUP-CP-SHARED-INFRA-1.3.1
  3. After the restore job completes, confirm that the objects included in the content pack are restored to your environment. For a full list of the objects shipped in this content pack, see About the Content Pack for Shared IT Infrastructure Components.

Review past critical issues

The service dependency tree included with this content pack contains 30 discrete areas that you might already be monitoring. The next step is to prioritize which areas to ingest into ITSI. Review critical issues, such as P0s, P1s and major P2s, from the past 6-9 months and determine the root cause of each issue.

Consider the following guidelines when reviewing past critical issues:

  • The functional area where the problem occurred can help you prioritize which services to instrument using metrics and which to ignore for now.
  • The root causes of each case can guide you to specific KPIs that can help with root cause analysis during the next outage.

Integrate the content pack with existing alerts

The Shared IT Infrastructure tree provided with this content pack includes 30 discrete areas that might already be monitored in your environment. Ingest that data into the Splunk platform and then tie it to one or more service-specific KPIs.

Perform the following steps for each service in the Shared IT Infrastructure tree corresponding to areas that generate alerts:

  1. Ingest the alerts into a Splunk index not tied to ITSI. For more information, see How do you want to add data in in the Splunk Enterprise Getting Data In manual.
  2. Create a correlation search to normalize the information in the alerts and save them as ITSI notable events. For more information, see Overview of correlation searches in ITSI in the Event Analytics manual.
  3. Within the associated service, create a KPI that counts the number of recent alerts. For more information, see Overview of creating KPIs in ITSI in the Service Insights manual.
  4. In the new KPI's thresholding section, set times with zero alerts to Normal severity and set times with one or more alerts to High severity.
  5. Modify the health score calculation by setting the importance for the alerting KPI to 11. For more information, see Set KPI importance values in ITSI in the Service Insights manual.
  6. (Optional) To aggregate the alerts into episodes and manage them in Episode Review, perform the following steps:
    1. Create a correlation search to process and normalize external alerts and store them back to ITSI as notable events.
    2. Create a notable event aggregation policy for those specific events. For more information, see Overview of aggregation policies in ITSI in the Event Analytics manual.

For areas of the ITSI Shared IT Infrastructure tree where alerts aren't available, remove the Heartbeat KPI. Removing this KPI changes the corresponding service from green to gray, indicating that there is an unmonitored dependency in the environment.

Configure a single service

To configure a single service, link it to the service template included with one of the OS content packs, or add the appropriate KPIs manually.

  1. Perform one of the following steps depending on your data source:
    1. OS metrics: Link the service to the appropriate OS KPI service template from one of the OS content packs. Edit the service's entity rules to match the correct hosts.
    2. Service-specific metrics: Add the appropriate KPIs manually or use other ITSI content packs.
  2. Enable the service and its parent services.

Integrate services with OS metric data

You can monitor some areas of your infrastructure at the OS level, including Active Directory or network services such as DNS, DHCP, NTP, and the systems providing the SMTP backbone. Application logs and KPIs tied to performance of the services provided by those servers provide additional visibility into your infrastructure.

Perform the following steps to integrate with OS metric data:

  1. In ITSI, click Configuration > Services and open the service you want to integrate.
  2. Configure the entity rules to match the correct hosts.
  3. Use the OS monitoring approach to create KPIs in this service corresponding to OS metrics. For more information, see About the Content Pack for Monitoring Unix and Linux or About the Content Pack for Monitoring Microsoft Windows, depending on your operating system.
  4. Go to the Settings tab of the service and configure the health score calculation.
  5. Review and configure the importance levels of critical KPIs.
  6. Click Save to save the service configuration.

Integrate services with service-specific metric data

Perform the following steps for each of your services related to a recent major outage:

  1. Identify the root causes of past issues and the corresponding data sources. Make sure that data is ingested into the Splunk platform, or ingest that data.
  2. In ITSI, click Configuration > Services and open the service you want to integrate.
  3. Configure the entity rules to match the correct hosts.
  4. Create individual KPIs to track the root causes of potential issues.
  5. Go to the Settings tab of the service and configure the health score calculation.
  6. Review and configure the importance levels of critical KPIs.
  7. Click Save to save the service configuration.
Last modified on 29 November, 2021
PREVIOUS
Release notes for the Content Pack for Shared IT Infrastructure Components
  NEXT
Use the Content Pack for Shared IT Infrastructure Components

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters