Splunk ITSI APP
Table of Contents
Splunk IT Service Intelligence
Splunk IT Service Intelligence (ITSI) is a monitoring and analytics solution that empowers IT and business professionals to predict and prevent problems before they impact revenue and customer experience. With AI powered by machine learning at its core, Splunk ITSI aggregates various data types, tracks trends based on this data, and is designed to deliver the business-critical insights and predictions you need to stay ahead of service degradations, resource constraints and system outages.
Customers like TransUnion trust Splunk ITSI to create a unified view of critical IT and business services, applications and infrastructure. They rely on ITSI to predict imminent outages, highlight anomalies, detect root causes, and pinpoint areas of impact, enabling them to deliver operations and services that exceed business and customer expectations. This means fewer incidents and outages and also a reduction in incident investigation and resolution time. It also means visibility and insight into the health of services that simply can’t be achieved with siloed point solutions.
Unlike legacy platforms that silo data, don’t scale, and can’t trend and predict problems, Splunk ITSI is built on the Splunk platform, bringing disconnected data together. Splunk scales when and how you need, and is designed to deliver the data-driven insight you need to detect problems, simplify investigations, triage issues and accelerate resolutions. Splunk ITSI APP wrangles large amounts of log, text, wire, metric, API and even social media derived data that support on premises, cloud, or hybrid-supported applications and infrastructure, and then easily apply machine learning to real-time production environments in a single, accessible and configurable view.
Splunk ITSI APP deployment
You can deploy Splunk IT Service Intelligence in a single instance deployment or a distributed search deployment. Splunk IT Service Intelligence is also available in Splunk Cloud. Before you deploy Splunk IT Service Intelligence on premises, familiarize yourself with the components of a Splunk platform deployment.
Single Instance Deployments
For a simple and small deployment, install ITSI on a single Splunk platform instance. A single instance functions as both a search head and an indexer. Use forwarders to collect your data and send it to the single instance for parsing, storing, and searching.
You can use a single instance deployment for a lab or test environment, or a small system with one or two users running concurrent searches.
You can deploy ITSI across any distributed architecture supported by Splunk Enterprise. This includes all types of deployment topologies, from small departmental deployments using a single instance for both indexer and search head, to large enterprise deployments using several search heads, dozens of indexers, and hundreds of forwarders.
Splunk ITSI APP Service Intelligence is available as a service in Splunk Cloud. The Splunk Cloud deployment architecture varies based on data and search load. Splunk Cloud customers work with Splunk Support to set up, manage, and maintain their cloud infrastructure.
Integration with the Splunk App for Infrastructure
As of version 4.2.0, ITSI ships with Splunk App for Infrastructure (SAI). Integration with SAI is enabled by default. If you’re upgrading ITSI while SAI is already installed in your environment, the SAI version is upgraded to the most recent version.
If you’re using the Splunk Add-on for Amazon Web Services and Splunk App for Infrastructure (SAI) to monitor AWS data, don’t install ITSI version 4.4.0 or SAI 2.0.0. SAI version 2.0.0 is not compatible with the Splunk Add-on for Amazon Web Services. If you’re using SAI to monitor AWS data with the add-on, this version of ITSI and SAI provides no way to continue doing so.
The Splunk ITSI APP installation package includes SAI and the Splunk Add-on for Infrastructure. Consider the following installation locations when upgrading Splunk ITSI APP:
- On a single instance deployment, both SAI and the Splunk Add-on for Infrastructure are installed by default with ITSI on the same instance of Splunk Enterprise.
- In a distributed environment, SAI is installed with ITSI on the search head, and the Splunk Add-on for Infrastructure is installed on the indexers.
- For a list of the directories included in ITSI, see About the ITSI installation package.
The ITSI installation package also includes the vmware_ta_itsi parent directory which contains components you need to deploy VMware data collection for SAI. If you don’t want to deploy VMware data collection, remove the directory from the ITSI package. For information about requirements and installation steps for VMware data collection components, see these topics in the Install and Upgrade Splunk App for Infrastructure guide:
- VMware data collection planning and requirements
- Install VMware data collection add-ons and dependencies
Before installing, see the release notes for SAI and the Splunk Add-on for Infrastructure:
- What’s new in Splunk App for Infrastructure in the Release Notes for Splunk App for Infrastructure manual.
- Release notes for the Splunk Add-on for Infrastructure in the Use the Splunk Add-on for Infrastructure manual.
Splunk Enterprise System Requirements
Splunk IT Service Intelligence requires a 64-bit OS install on all search heads and indexers.
ITSI is incompatible with Splunk Enterprise versions 7.2.0 – 7.2.3.
To prevent ITSI Event Analytics from duplicating events on Splunk Enterprise versions 7.1.x and 7.2.4 – 7.2.10, create a limits.conf file on all search heads at $SPLUNK_HOME/etc/apps/SA-ITOA/local/ and add the following stanza:
If you do not plan on using Event Analytics, the workaround is not necessary.
CPU core count and RAM are critical factors in indexer and search head performance. ITSI requires minimum hardware specifications that you increase according to your needs and usage of ITSI. These specifications also apply for a single instance deployment of ITSI.
Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest and parse data efficiently while responding to search requests. For the latest IOPS requirements to run Splunk Enterprise, see Reference Hardware: Indexer in the Splunk Enterprise Capacity Planning Manual.
You might need to increase the hardware specifications of your own ITSI deployment above the minimum hardware requirements depending on your environment. Depending on your system configuration, refer to the mid-range or high-performance specifications for Splunk platform reference hardware.
If the number of indexer CPU cores in your deployment exceeds the minimum hardware specifications, you can implement one of the parallelization settings to improve the indexer performance for specific use cases.
Operating system requirements
For a list of supported operating systems, browsers, and file systems, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.
When installing IT Service Intelligence on Ubuntu, use Bash shell. Do not use Dash shell as it can result in defunct processes.
ITSI License Requirements
ITSI requires a separate ITSI license in addition to your Splunk Enterprise license. Your Splunk representative will provide you with an appropriate ITSI license at the time of purchase. For ITSI license installation instructions, see Install a license in the Splunk Enterprise Installation and Configuration Manual.
IT Service Intelligence ships with an internal license stack called the IT Service Intelligence Internals *DO NOT COPY* stack. Because ITSI event analytics generates a large number of notable events, this internal stack ensures that you don’t pay for these generated events. The sourcetypes used to track notable events and episodes are counted on this special stack with no impact on your Splunk Enterprise license. When calculating your daily license usage, disregard this stack, as it only counts internal ITSI usage.
IT Service Intelligence requires Java 8x – 11.x to run anomaly detection and event management features. ITSI supports OpenJDK and Oracle JDK 8-11. Java installation is required on search heads only, not indexers or forwarders.