Splunk® IT Essentials Work

Entity Integrations Manual

Overview of entity types in ITE Work

(ITE Work) visualizes entity data using entity types, analysis data filters, and navigations. ITE Work has default configurations for supported integrations. Analysis data filters and navigations are components of entity types. You can create custom entity types, analysis data filters, and navigations. For more information about configuring entity types and their components, see Create entity types in ITE Work.

How ITE Work uses entity types

Entity types define how to classify a type of data source. For example, there are Linux, Windows, Kubernetes, and VMware vCenter Server entity types. Entity types can represent physical hosts, containers, virtual environments, and cloud providers.

Each entity type contains zero or more vital metrics, analysis data filters, and navigations that define the data sources and visualizations for each entity associated with the entity type. Analysis data filters and navigations are components of entity types. You can create, modify or delete analysis data filters and navigations for a specific entity type. You can't create, modify, or delete a single analysis data filter or navigation for multiple entity types at the same time.

How ITE Work uses analysis data filters with entity types

Analysis data filters associate entity types with data sources. Analysis data filters are data collection rules that define data sources. They are split into two data types: metrics and events. Every supported entity type comes with at least one default metrics filter and one default events filter that populates the Analysis Workspace with data. Analysis data filters determine which data you can view in the Entity Analysis Dashboard. For more information about this dashboard, see Entity Analysis dashboard in ITE Work.

Each analysis data filter contains a static filter for specific data sources and an entity field filter to match data sources to a specific entity. Use static filters to include or exclude specific entity field-value pairs. Use an entity field filter to pass entity-specific information in the navigation URL. Here's an example analysis data filter for metrics for AWS EC2 instances:

{ \
    "title": "AWS EC2 metrics", \
    "type": "metrics", \
    "static_filter": { \
        "type": "include", \
        "field": "metric_name", \
        "values": ["AWS/EC2.*"] \
    }, \
    "entity_field_filter": { \
        "type": "entity", \
        "data_field": "InstanceId", \
        "entity_field": "InstanceId" \
    } \
}, \

The static_filter captures all events where metric_name = AWS/EC2.*. ITE Work correlates a metric or log event to an entity when the data_field of the event matches the entity_field of the entity. The entity_field can be any entity alias or entity information field you associated with an entity.

How ITE Work uses navigations with entity types

Navigations define parameters to send to a URL for an entity type. Use navigations to specify a URL that points to a dashboard or other resource for the entity and a set of parameters that let you specify entity information to pass as part of the URL parameters.

You can view navigations from an entity's information panel in the entity health page. Default AWS and Microsoft Azure entity types have a default navigation that displays a dashboard in an entity's Overview Dashboard.

Default entity types and their properties

Entity types and their analysis data filters, navigations, and vital metrics are defined in $SPLUNK_HOME/etc/apps/SA-ITOA/default/itsi_entity_type.conf. For more information about this file, see itsi_entity_type.conf in the Administration Manual.

Entity type Analysis data filter Navigation Vital metrics
*nix
  • System metrics
  • *nix logs
*nix Overview Dashboard
  • Average CPU Usage*
  • Average Free Memory
  • Average Available Disk
  • Average Network Traffic
Unix/Linux Add-on
  • System metrics
  • *nix-TA logs
Unix and Linux Add-on Overview Dashboard
  • Average CPU Usage*
  • Average Free Memory
  • Average Available Disk
  • Average Network Traffic
Windows
  • System metrics
  • Windows logs
Windows Overview Dashboard
  • Average CPU Usage*
  • Average Free Memory
  • Average Available Disk
  • Average Network Traffic
Kubernetes Node
  • Kubernetes Node metrics
  • Kubernetes Node logs
  • Kubernetes Node metadata
N/A
  • Average CPU Usage*
  • Average Free Memory
  • Average Available Disk
  • Average Network Traffic
Kubernetes Pod
  • Kubernetes Pod metrics
  • Kubernetes Pod logs
  • Kubernetes Pod metadata
N/A
  • Average CPU Usage*
  • Average Free Memory
  • Average Network Traffic
VMware Cluster
  • VMware Cluster metrics
  • VMware Inventory logs
  • VMware Cluster Events logs
VMware Cluster Overview Dashboard
  • Average CPU Usage*
  • Average Effective Memory
  • Hosts Down
  • Triggered Alarms
VMware Datastore
  • VMware Datastore metrics
  • VMware VM/ESXI Datastore metrics
  • VMware Datastore logs
  • VMware Datastore Events logs
VMware Datastore Overview Dashboard
  • Average Datastore Usage*
  • Datastore Overprovisioned
  • Average Datastore Read Latency
  • Average Datastore Write Latency
VMware ESXi Host
  • VMware ESXi metrics
  • VMware Inventory logs
  • VMware Tasks logs
  • VMware ESXi Hosts Events logs
  • VMware ESXi logs
VMware ESXi Overview Dashboard
  • Average CPU Usage*
  • Average Memory Usage
  • Average Datastore Latency
  • Average Network Traffic
VMware vCenter
  • VMware vCenter metrics
  • VMware Inventory logs
  • VMware vCenter Tasks and Events logs
  • VMware vCenter logs
VMware vCenter Overview Dashboard
  • Average CPU Usage*
  • Average Physical Memory Usage
  • Average Virtual Memory Usage
  • VCSA Failures
VMware VM
  • VMware VM metrics
  • VMware Inventory logs
  • VMware Tasks logs
VMware VM Overview Dashboard
  • Average CPU Usage*
  • Average Memory Usage
  • Average Datastore Latency
  • Average Network Usage

(*) Represents the key metric for the entity type.

Default entity types and data collection

The following table includes the recommended methods to get data in for each of the default entity types.

Entity type Data Collection Method Splunk Add-ons required Additional software required
*nix Collectd (HEC) N/A collectd
Unix/Linux Add-on Scripted metrics inputs Splunk Add-on for Unix and Linux sysstat
Windows Perfmon inputs N/A N/A
Kubernetes Node Splunk Connect for Kubernetes (HEC) N/A Splunk Connect for Kubernetes, helm
Kubernetes Pod Splunk Connect for Kubernetes (HEC) N/A Splunk Connect for Kubernetes, helm
VMware Cluster Data Collection Node (HF, various inputs) Splunk Add-on for VMware Metrics N/A
VMware Datastore Data Collection Node (HF, various inputs) Splunk Add-on for VMware Metrics N/A
VMware ESXi Host Data Collection Node (HF, various inputs) Splunk Add-on for VMware Metrics N/A
VMware vCenter Data Collection Node (HF, various inputs) Splunk Add-on for VMware Metrics N/A
VMware VM Data Collection Node (HF, various inputs) Splunk Add-on for VMware Metrics N/A
Last modified on 28 February, 2024
Set up a recurring import of entities in ITE Work   Create custom entity types in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters