Splunk® IT Essentials Work

Entity Integrations Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

About the Infrastructure Overview in ITE Work

The Infrastructure Overview provides a holistic view of all entities in your environment as well as the health of those entities across various platforms.

An entity is an IT infrastructure component that requires management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that identify the entity. Entities are usually hosts, but can also be items as diverse as cloud or virtual resources, network devices, applications, users, and cell towers. For more information about entities, see Overview of entity integrations in ITE Work.

Use the Infrastructure Overview to monitor the health of your overall system and quickly understand the availability and performance of your server infrastructure. You can filter entities by status (Active, Inactive, N/A, or Unstable) using the Status Filter and alert severity (Normal, Warning, Critical) using the Severity Filter. Filter by additional dimensions such as entity alias, entity status, or informational fields in the entities with dimensions field.

Group entities by entity type

Use the Group by dropdown to group entities by entity type in the Infrastructure Overview and see a consolidated view of the health of each of your integrated platforms. Each entity type card displays a key statistic for that specific entity type. A key statistic calculates the distribution of entities associated with the entity type to indicate the overall health of the entity type. Select an entity type to drill down into its vital metrics and perform more in-depth analysis. For more information about vital metrics, see Investigate vital metrics for an entity type.

Key statistics are defined in the is_key object in itsi_entity_types.conf. An entity type can only have one key statistic, so all other metrics must be vital metrics with is_key = 0. Do NOT edit key statistics and vital metrics through this configuration file. If you want to change the key statistic for an entity type, use the REST API. For instructions and examples, see Add custom vital metrics or edit default metrics. Only users assigned the admin or itoa_admin role can edit key statistics.

The following image shows the Infrastructure Overview grouped by entity type:

InfraOverview.png

Supported data sources

A gray histogram or inactive status means you're not collecting data from that particular data source. You need to bring that data into ITE Work using the defined data configuration method so that corresponding entities can be associated with the proper entity type. The following table lists the entity integrations available out-of-the-box in ITE Work and how to configure them:

Data sources Configuration instructions
  • *nix
  • Splunk Add-on for Unix and Linux
About the Unix and Linux entity integration in ITE Work
  • VMware VM
  • VMware Cluster
  • VMware ESXi Host
  • VMware vCenter
  • VMware Datastore
About the VMware vSphere entity integration in ITE Work
  • Kubernetes Node*
  • Kubernetes Pod*
Collect Kubernetes metrics and logs with Splunk App for Infrastructure

(*) ITE Work doesn't currently have a Kubernetes integration.

Windows About the Windows entity integration in ITE Work

Investigate vital metrics for an entity type

Select an entity type within the Infrastructure Overview to further drill down to its entity details page, which displays vital metrics for that entity type. Vital metrics are statistical calculations based on SPL searches that represent the overall health of entities of that type. Vital metrics can search against both metrics and logs data, while the search result must be a metric.

In the following example, the entity type's vital metrics are average CPU usage, memory usage, disk availability, and network usage:

Vitalmetrics.png

Perform the following steps to access the vital metrics for an entity type:

  1. From the ITE Work main menu, click Infrastructure Overview.
  2. In the Group by dropdown, choose Entity Type.
  3. Select the card for the entity type you want to analyze.

The vital metrics for all entity types are defined in itsi_entity_type.conf. One vital metric contains "is_key": 1 which designates it as the key statistic displayed in the Infrastructure Overview histogram. Each vital metric in the configuration file contains a list of split_by_fields that attribute the aggregation to each entity associated with the entity type based on the matching_entity_fields. Split by fields enable ITE Work to calculate the distribution of values to display in the histogram.

The vital metrics search of each of the default entity types uses a macro like itsi_entity_type_nix_metrics_indexes to find data. If the entity type histogram or vital metrics shows no data, it's possible that the data resides in another index. If this is the case, modify the macro to include your index.

Monitor entity status

Entities discovered from a recurring import search are assigned a status to indicate whether they are actively sending data, enabling you to monitor the health and performance of your environment. The entity status updates when the recurring bulk import runs on its schedule. For more information about how to set up a recurring import search, see Set up a recurring import of entities in ITE Work.

The Last Updated column indicates the last recorded time that an entity sent data. The Status column displays one of the following statuses:

  • Active: Indicates that the entity is active and receiving data from the latest discovery window.
  • Inactive: Indicates that the entity stopped sending data and is inactive.
  • Unstable: Indicates that the entity is unstable because at least one of its data sources is inactive.
  • N/A: Indicates that the entity does not have a status because it is not linked to a data source. Entities that are not created from recurring bulk import searches (such as entities created from a single import) will display this status.

The Current Entity Status Breakdown chart displays a breakdown of the number of entities by status. You can filter entities by status or dimension using the filters at the top of the page.

The Alert Breakdown chart displays a breakdown of the number of entities by alert severity. You can filter entities by alert severity using the Severity Filter at the top of the page.

Note:If you have a large number of entities, the recurring bulk import can take a longer time to complete. Tune the cron schedule of the recurring import searches to search less frequently in order to ensure your entity status updates on time.

Select an individual entity to investigate its status and other vital metrics on the Entity Details page.

Last modified on 17 May, 2022
Associate entities with an entity type in ITE Work   Event Data Search dashboard in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters