Introduction
This manual covers the tasks of administering an ITSI deployment, including configuring users and roles, scheduling maintenance windows, and backing up your ITSI environment.
ITSI Installation
Splunk IT Service Intelligence (ITSI) version 4.16.x is a cloud-only release. Splunk Cloud Platform customers have to work with Support to install or uninstall ITSI.
Types
- Single-instance deployment, a single Splunk Enterprise instance serves as both search head and indexer.
- Distributed - Search head, indexer, License master, HF
- Search head clustering & index cluster
The ITSI installation package places the following directories in $SPLUNK_HOME/etc/apps:
Domain add-ons
- DA-ITSI-APPSERVER
- DA-ITSI-DATABASE
- DA-ITSI-EUEM
- DA-ITSI-LB
- DA-ITSI-OS
- DA-ITSI-STORAGE
- DA-ITSI-VIRTUALIZATION
- DA-ITSI-WEBSERVER
Supporting add-on’s
- SA-IndexCreation - Summery index configuration, install on indexer.
- SA-ITOA - Entity & Service management, install on license master
- SA-ITSI-ATAD - Adaptive threshold management
- SA-ITSI-CustomModuleViz - custome visualisation files
- SA-ITSI-Licensechecker - License, install on license master
- SA-ITSI-MetricAD - Anomaly detection
- SA-UserAccess - User access, install on license master
Configure indexes in ITSI
IT Service Intelligence (ITSI) implements custom indexes for event storage. All ITSI indexes are listed in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf.
- anomaly_detection: support trending and cohesive anomaly detection
- itsi_grouped_alerts: stores active episode data.
- itsi_im_meta: used for metadata from the default data integrations
- itsi_im_metrics: used for metrics from the default data integrations.
- itsi_import_objects: used by ITSI in the entity creation process.
- itsi_notable_audit: Stores all audit events for episodes, including actions, comments, status change, and owner change.
- itsi_notable_archive: Stores episode metadata (tags and comments) that has been moved from the KV store after a default 6 month retention period
- itsi_summary: Stores the results of scheduled KPIs searches
- itsi_summary_metrics: A metrics index that stores the results of scheduled KPI searches.
- itsi_tracked_alerts: Stores active raw notable event data.
- snmptraped: Stores events coming in from SNMP traps
ITSI license requirements
ITSI requires a separate ITSI license in addition to your Splunk Enterprise license. Install both the ITSI license and the Splunk Enterprise license on the license master.
Splunk ITSI meters Splunk indexes for ingest-based license usage and capacity consumption calculations.
Next Chapter: Roles