Splunk® IT Essentials Work

Entity Integrations Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

About the Infrastructure Overview in ITE Work

The (ITE Work) Infrastructure Overview page provides a holistic view of all entities in your environment.

An entity is an IT infrastructure component that requires management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that identify the entity. Entities are usually hosts but can also be items as diverse as cloud or virtual resources, network devices, applications, users, and cell towers. For more information about entities, see Overview of entity integrations in ITE Work

Use the Infrastructure Overview page to monitor the health of your overall system and quickly understand the availability and performance of your server infrastructure.

You can filter entities by status (Active, Inactive, N/A, or Unstable) using the Status Filter and alert severity (Normal, Warning, Critical) using the Severity Filter. Filter by additional dimensions such as entity alias, entity status, or informational fields in the entities with dimensions field.

Entities are grouped by entity type by default which gives you a consolidated view of the health of each of your integrated platforms. Select Group by: None in the dropdown to ungroup entities.

Use the Hide entity types with no entities setting to hide entity types that don't have entities.

This image shows the Infrastructure Overview grouped by entity type with entity types with no entities hidden.

InfraOverview 4 11 0.png

Supported data sources

A gray histogram or inactive status means you're not collecting data from that particular data source. You need to bring that data into ITE Work using the defined data configuration method so that corresponding entities can be associated with the proper entity type. The following table lists the entity integrations available out-of-the-box in ITE Work and how to configure them:

Data sources Configuration instructions
  • *nix
  • Splunk Add-on for Unix and Linux
About the Unix and Linux entity integration in ITE Work
  • VMware VM
  • VMware Cluster
  • VMware ESXi Host
  • VMware vCenter
  • VMware Datastore
About the VMware vSphere entity integration in ITE Work
Windows About the Windows entity integration in ITE Work

Investigate vital metrics for an entity type

Select an entity type within the Infrastructure Overview to further drill down to its entity details page, which displays vital metrics for that entity type. Vital metrics are statistical calculations based on SPL searches that represent the overall health of entities of that type. Vital metrics can search against both metrics and logs data, while the search result has to be a metric.

In this example, the entity type's vital metrics are average CPU usage, memory usage, disk availability, and network usage:

Vitalmetrics.png

The vital metrics for all entity types are defined in itsi_entity_type.conf. One vital metric contains "is_key": 1 which designates it as the key statistic displayed in the Infrastructure Overview histogram. Each vital metric in the configuration file contains a list of split_by_fields that attribute the aggregation to each entity associated with the entity type based on the matching_entity_fields. Split by fields enables ITE Work to calculate the distribution of values to display in the histogram.

The vital metrics search of each of the default entity types uses a macro like itsi_entity_type_nix_metrics_indexes to find data. If the entity type histogram or vital metrics shows no data, it's possible that the data resides in another index. If this is the case, modify the macro to include your index.

Monitor entity status

InfraOverview Entity Status4 11 0.png

Select Group by: None in the dropdown to monitor individual entities.

Entities discovered from a recurring import search are assigned a status to indicate whether they are actively sending data, enabling you to monitor the health and performance of your environment. The entity status updates when the recurring bulk import runs on its schedule. For more information about how to set up a recurring import search, see Set up a recurring import of entities in ITE Work.

Note: If you have a large number of entities, the recurring bulk import can take longer to complete. Tune the cron schedule of the recurring import searches to search less frequently in order to ensure your entity status updates on time.

The Last Updated column displays the last recorded time that an entity sent data. The Status column displays one of these statuses:

  • Active: Indicates that the entity is active and receiving data from the latest discovery window.
  • Inactive: Indicates that the entity stopped sending data and is inactive.
  • Unstable: Indicates that the entity is unstable because at least one of its data sources is inactive. The data source may not be sending data consistently, lag and be outside of the search window, or the lookback period may be too short.
  • N/A: Indicates that the entity doesn't have a status because it is not linked to a data source. Entities that are not created from recurring bulk import searches (such as entities created from a single import) will display this status.

View a breakdown of the entities in your environment by status on the Current Entity Status Breakdown chart, and view a breakdown by alert severity on the Alert Breakdown chart.

Saved searches contribute to an entity's status. Troubleshoot unstable or inactive entities on the Entity Discovery Searches tab. To learn more, see Understand entity status and search data in ITSI.

Last modified on 28 February, 2024
PREVIOUS
Create custom entity types in ITE Work
  NEXT
Event Data Search dashboard in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters