Splunk® IT Essentials Work

Entity Integrations Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Import entities from a search in ITE Work

Create entities from (ITE Work) module searches, saved searches, or ad hoc searches using indexed data coming in your Splunk platform deployment. ITE Work uses the itsiimportobjects command to import entities from searches.

You can import a maximum of 50,000 entities at a time. If you attempt to import more than 50,000 entities, only the first 50,000 are imported.

Prerequisites

Requirement Description
ITE Work role You have to log in as a user with the itoa_admin or a user with the itoa_team_admin role that has write access to the global team.
Indexed data You have to have indexed data that you want to associate with entities.

Steps

Follow these steps to import entities from a search in ITE Work.

  1. From the ITE Work main menu, go to Configuration > Entity Management.
  2. Select Create Entity > Import from Search.
  3. Select one of the following search types:
    Search Type Description
    Modules

    (Only available in ITSI)

    Choose from a list of pre-defined entity discovery searches based on ITSI modules. For more information about using modules to create entities, see ITSI module entity discovery in the ITSI Modules manual.
    Saved Searches Choose from a list of pre-defined saved searches.
    Ad hoc Search Enter a custom search string.
  4. Enter an ad hoc search string, or select a predefined module search or saved search. Make sure the results are presented in a table. In this example, the entities are imported using an ad hoc search.
  5. Click the Search icon to view a preview of the search results. EntityImport.png
  6. Click Next.
  7. Under Import Column As, select the appropriate column type for each column. SpecifyColumn.png
    Column type Description
    Entity Title Makes the column entry the entity title. The column is also added as an Entity Alias using <column name> = <value>.
    Entity Description Makes the column entry a description of the entity.
    Entity Alias Makes the column entry a searchable entity identifier. Event Data Search uses aliases to populate recent log events for an entity in the entity health page.

    When creating an entity alias, make sure the key-value pair is unique. ITE Work relies on alias key-value pairs to identify entities in visualizations. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.

    Entity Information field Makes the column entry a tag that provides user-facing validation. Information fields are like common fields and can have the same values across entities. For example, an info field like datacenter=vault13 can be common to all the entities of the same data center.
    Entity Type Associates the entity with an existing entity type that matches the column entry. If the entity type doesn't already exist, you have to create it first. ITE Work ignores entity type column entries that don't already exist.
    Service Title

    (Only applies to ITSI)

    Makes the column entry the name of the service to associate the entity with. The service is created if it doesn't already exist.
    Service Description

    (Only applies to ITSI)

    Makes the column entry the description of the service.
    Do Not Import Removes the column entry from the imported data.
  8. Configure the following options in the Settings section:
    Option Description
    Service Team

    (Only displays in ITSI if you are importing services.)

    The team to create the services in.
    Import Services As

    (Only displays in ITSI if you are importing services.)

    Whether services are enabled or disabled upon import.
    Conflict Resolution Determines how ITE Work updates and stores your entity data:
    • Skip Over Existing Entities: Adds new entity data to the datastore only if the entity does not already exist. If an entity already exists, the entity is not updated.
    • Update Existing Entities: Merges the imported data and the existing data associated with the entity. Uses the Conflict Resolution field to identify the entity.
    • Replace Existing Entities: Replaces existing entity data with new entity data. Uses the Conflict Resolution field to identify the entity.
    Conflict Resolution Field The field used to merge on. Entities that have the same field value are considered to be the same entity. For example, if there is an entity defined with the same IP then merge into that entity. If Conflict Resolution is set to Update Existing Entities or Replace Existing Entities, ITE Work resolves duplicate entities based on this field.
    For more information about conflict resolution, see Resolve conflicts during ITSI entity imports in the ITSI Administration Manual.
  9. In the Preview section, click Entities to be imported to confirm that your entity import configuration is correct.

    The preview shows the entity information you're importing. It doesn't show the final merged entity values.

    PreviewEntityImport.png
  10. Click Import.
    A message appears confirming that the import is complete.
  11. Click the View all Entities link to confirm your imported entities appear in the Entity viewer page.
  12. (Optional) Click Set up Recurring Import to create a saved search that triggers the itsi_import_objects alert action for search results. The alert action uses the itsiimportobjects command to import entities. For more information, see Set up recurring import of entities in ITE Work.
Last modified on 28 February, 2024
Create a single entity in ITE Work   Import entities from a CSV file in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters