Splunk ITSI

How to install Splunk IT Service Intelligence on a single Windows Splunk instance?

gagandeep_arora
Path Finder

Hello Team,

I am trying to install Splunk ITSI for a single Windows Splunk instance.

As per Splunk ITSI installation manual:
"On Windows, rename the file extension from .spl to .tgz first and use a third-party utility like 7-Zip to perform the extraction."
after extraction using 7-zip, I get ".tar" single file.

I placed that file into Splunk/etc/apps and started the splunk instance.

I don't see any output out of these. Is there any step I am missing which will be further extracting the "*.tar" file into sub modules?

0 Karma
1 Solution

493669
Super Champion

Hi @gagandeep_arora,
When you extract .tgz file it will get extracted into .tar file first then you need to again extract .tar file then you will get one folder. Now place this folder into Splunk/etc/apps/ directory and start splunk splunk instance.
Now you will able to see the app.
Hope this helps you.

View solution in original post

mayurr98
Super Champion

When installing ITSI on Windows, rename inputs.conf.windows to inputs.conf, in both SA-Utils and SA-ThreatIntelligence default directories.

For example:

    cd $SPLUNK_HOME/etc/apps/SA-Utils/default/
    cp inputs.conf inputs.conf.bak
    cp inputs.conf.windows inputs.conf
    rm inputs.conf.windows

Also
About admin_all_objects capability

ITSI version 2.6.0 and later does not require the admin_all_objects capability assigned to the itoa_admin role. Although you can assign this capability to the itoa_admin role manually, this is not recommended on Splunk Enterprise version 6.6.0 or later.

    If you are installing ITSI 3.0.0 on a version of Splunk Enterprise prior to version 6.6.0, you must add the admin_all_objects capability manually to the itoa_admin role or ITSI might not function as expected.

let me know if this helps!

0 Karma

hjauch_splunk
Splunk Employee
Splunk Employee

There are multiple folders for ITSI. Place all of them into Splunk\etc\apps

493669
Super Champion

Hi @gagandeep_arora,
When you extract .tgz file it will get extracted into .tar file first then you need to again extract .tar file then you will get one folder. Now place this folder into Splunk/etc/apps/ directory and start splunk splunk instance.
Now you will able to see the app.
Hope this helps you.

493669
Super Champion

Hi @gagandeep_arora,
You can accept answer if you think the answer is relevant to your question to close this question.

0 Karma

gagandeep_arora
Path Finder

Thanks.,, It was really helpful...

I am able to see the ITSI apps under my Apps now. but I am seeing the error message:
1. Importing IT Service Intelligence settings from conf files for apps and modules failed with: Splunkd daemon is not responding: ("Error connecting to /servicesNS/nobody/SA-ITOA/properties: ('The read operation timed out',)",)
2. Failed to import Team settings. ITSI will not work properly until the Team settings are imported. See this documentation page for instructions on how to resolve this issue.

Any idea how can I get it resolved. - When I am trying to create a team it says page not found.

0 Karma

493669
Super Champion

have you tried to rename inputs.conf.windows to inputs.conf as suggested by @mayurr98
As I haven't use ITSI apps so I am not aware ...if it doesn't resolves your issue then you can post separate question
Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...