Solved: How to install Splunk IT Service Intelligence on a...

gagandeep_arora · ‎01-18-2018

Hello Team,

I am trying to install Splunk ITSI for a single Windows Splunk instance.

As per Splunk ITSI installation manual:
"On Windows, rename the file extension from .spl to .tgz first and use a third-party utility like 7-Zip to perform the extraction."
after extraction using 7-zip, I get ".tar" single file.

I placed that file into Splunk/etc/apps and started the splunk instance.

I don't see any output out of these. Is there any step I am missing which will be further extracting the "*.tar" file into sub modules?

493669 · ‎01-18-2018

Hi @gagandeep_arora,
When you extract .tgz file it will get extracted into .tar file first then you need to again extract .tar file then you will get one folder. Now place this folder into Splunk/etc/apps/ directory and start splunk splunk instance.
Now you will able to see the app.
Hope this helps you.

View solution in original post

mayurr98 · ‎01-20-2018

When installing ITSI on Windows, rename inputs.conf.windows to inputs.conf, in both SA-Utils and SA-ThreatIntelligence default directories.

For example:

    cd $SPLUNK_HOME/etc/apps/SA-Utils/default/
    cp inputs.conf inputs.conf.bak
    cp inputs.conf.windows inputs.conf
    rm inputs.conf.windows

Also
About admin_all_objects capability

ITSI version 2.6.0 and later does not require the admin_all_objects capability assigned to the itoa_admin role. Although you can assign this capability to the itoa_admin role manually, this is not recommended on Splunk Enterprise version 6.6.0 or later.

    If you are installing ITSI 3.0.0 on a version of Splunk Enterprise prior to version 6.6.0, you must add the admin_all_objects capability manually to the itoa_admin role or ITSI might not function as expected.

let me know if this helps!

hjauch_splunk · ‎01-19-2018

There are multiple folders for ITSI. Place all of them into Splunk\etc\apps

493669 · ‎01-18-2018

Hi @gagandeep_arora,
When you extract .tgz file it will get extracted into .tar file first then you need to again extract .tar file then you will get one folder. Now place this folder into Splunk/etc/apps/ directory and start splunk splunk instance.
Now you will able to see the app.
Hope this helps you.

493669 · ‎01-20-2018

Hi @gagandeep_arora,
You can accept answer if you think the answer is relevant to your question to close this question.

gagandeep_arora · ‎01-25-2018

Thanks.,, It was really helpful...

I am able to see the ITSI apps under my Apps now. but I am seeing the error message:
1. Importing IT Service Intelligence settings from conf files for apps and modules failed with: Splunkd daemon is not responding: ("Error connecting to /servicesNS/nobody/SA-ITOA/properties: ('The read operation timed out',)",)
2. Failed to import Team settings. ITSI will not work properly until the Team settings are imported. See this documentation page for instructions on how to resolve this issue.

Any idea how can I get it resolved. - When I am trying to create a team it says page not found.

493669 · ‎01-25-2018

have you tried to rename inputs.conf.windows to inputs.conf as suggested by @mayurr98
As I haven't use ITSI apps so I am not aware ...if it doesn't resolves your issue then you can post separate question
Thanks.

How to install Splunk IT Service Intelligence on a single Windows Splunk instance?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation