Splunk ITSI

Splunk IT Service Intelligence (ITSI) migration to a new search head cluster (SHC) from an old SHC

sylim_splunk
Splunk Employee
Splunk Employee

We want to migrate ITSI from one search head cluster to another search head cluster.

We don’t want to uninstall ITSI on the current/primary working cluster until we know the new search head cluster is functioning.

Is there an easy way to “disable” ITSI on the current/primary cluster so that it doesn’t continue and produce duplicate data?

After we have completely migrated ITSI to the new search head cluster, we will uninstall ITSI from the old one.

Just trying to make sure we don’t have 2 ITSI environments up and running at the same time.

0 Karma
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

At this moment, you can not “disable” the whole ITSI on a deployment. You could disable all the services so that all the KPI searches will stop running.
One thing that you may consider is to create a separate set of indexes on the same indexer for different ITSI installation. I think we support that in 4.0.x now. Such as, all the index names are like itsi_xxxx and for new one you can create new_itsi_xxxx to prove the new install is working, then remove them after that.

Another way is disable apps/add-ons one by one on old SHC GUI, below are the apps from ITSI;

SA-UserAccess
SA-ITSI-MetricAD
SA-ITSI-Licensechecker
SA-ITSI-CustomModuleViz
SA-ITOA
SA-ITSI-ATAD
itsi
SA-IndexCreation
DA-ITSI-WEBSERVER
DA-ITSI-VIRTUALIZATION
DA-ITSI-STORAGE
DA-ITSI-OS
DA-ITSI-LB
DA-ITSI-EUEM
DA-ITSI-DATABASE
DA-ITSI-APPSERVER

The installation and verification/validation/migration process would vary depending on your requirements and environment. I would like to recommend you to use PS resource for a smooth migration.

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

At this moment, you can not “disable” the whole ITSI on a deployment. You could disable all the services so that all the KPI searches will stop running.
One thing that you may consider is to create a separate set of indexes on the same indexer for different ITSI installation. I think we support that in 4.0.x now. Such as, all the index names are like itsi_xxxx and for new one you can create new_itsi_xxxx to prove the new install is working, then remove them after that.

Another way is disable apps/add-ons one by one on old SHC GUI, below are the apps from ITSI;

SA-UserAccess
SA-ITSI-MetricAD
SA-ITSI-Licensechecker
SA-ITSI-CustomModuleViz
SA-ITOA
SA-ITSI-ATAD
itsi
SA-IndexCreation
DA-ITSI-WEBSERVER
DA-ITSI-VIRTUALIZATION
DA-ITSI-STORAGE
DA-ITSI-OS
DA-ITSI-LB
DA-ITSI-EUEM
DA-ITSI-DATABASE
DA-ITSI-APPSERVER

The installation and verification/validation/migration process would vary depending on your requirements and environment. I would like to recommend you to use PS resource for a smooth migration.

skoelpin
SplunkTrust
SplunkTrust

Good idea about creating a new index for the new ITSI data

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...