IT Service Intelligence users can monitor splunk as a service easily by deploying the “Monitoring Splunk as a Service” ITSI Content Pack. In this post we take you through the simple steps to get up and running.

Step 1 – Install the Splunk App for Content Packs

There are various content packs available and there is a Splunk App to manage them all. The first thing you need to do is install the Splunk App for Content Packs:

  • Splunk Cloud Customers
    • Raise a support case to request the install of the app
  • On-Prem Customers
    • Download the app from splunkbase
    • Stop Splunk
    • Extract the SPL archive in {SPLUNK_HOME}/etc/apps
    • Restart Splunk

Further instructions are available here.

Step 2 – Configure the Content Pack for Monitoring Splunk as a Service

From the ITSI app:

  • Configuration > Data Integrations
  • Select the “Add Structure to your data” tab
  • Select Monitoring Splunk as a Service by clicking on the icon
  • Click Proceed
  • Review the options – for the quickest time to value switch on “Import as enabled” but review the guidance on that here for production systems
  • Choose whether to add a prefix – we added “cp-sas-” so that we can easily see the ITSI objects that have been added by this content pack
  • Install
Screenshot showing the Monitoring Splunk as a Service Content Pack and Others
ITSI Data Integrations – Content Packs

Step 3 – Review Service Tree

Take a quick look at the service tree – your Splunk environment is now being monitored! You can delete services for components that you don’t have.

ITSI Service Tree showing what the Monitoring Splunk as a Service content pack delivers
ITSI Service Tree

Step 4 – Create Entities

Creating the required entities is covered in the documentation here. We used a simple search as follows in order to map the splunk_role to the hostname. Thankfully we had a simple naming convention:

|tstats count where index=_internal by host
|fields - count
|eval splunk_role=case(match(host,"^itsi"),"itsi",match(host,"^idx"),"indexer",match(host,"^cm"),"indexer_cluster_master",true(),"unknown")

Summary

Hopefully we have shown that the installation and setup of the Content Pack for Monitoring Splunk as a Service is straightforward. It also delivers very quick time to value. From here you can move on to configuring alerting and tuning your thresholds.

For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required
Posted by:Stuart Robertson

Stuart Robertson is the Consulting Director at iDelta. He is one of the initial founders of iDelta and has worked there since formation in 2001. Stuart holds various certifications in Core Splunk and ITSI. Stuart also holds a Bsc(Hons) in Computing Science from the University of Glasgow.