Splunk® IT Service Intelligence

Service Insights Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Define entity rules for a service in ITSI

Entity rules in IT Service Intelligence (ITSI) let you dynamically filter KPI searches based on entity alias matches, thereby associating one or more entities to a specific service. Entity aliases are field-value pairs that identify the entity. You can use entity rules to associate entities with KPIs at the service level, which makes it unnecessary to specify entity identifying fields for each KPI search.

Adding entity rules is part of the service configuration workflow. You can edit the entity rules of a service at any time by opening the service and going to the Entities tab. For more information about entities, see Overview of entity integrations in ITSI in the Entity Integrations manual.

When to add entity rules

Entity rules are optional and you can add them at any time. Add entity rules if you want to be able to filter a KPI by the entities in the service. There are many scenarios where entity rules can make it easier to configure your services, including the following:

  • You want to match entity ID data not recognized inside Splunk Enterprise (such as mapping a naming scheme to specific devices). For example, your organization might use a server naming convention such as server-01, server-02, and so on. These names do not appear as fields inside Splunk searches. Adding rules that match your entity aliases to your server naming scheme lets you apply KPI searches to those servers.
  • You want to disambiguate between multiple fields that identify the same machine (such as a host with multiple IP addresses).

Entity rule matching behavior

You can use wildcards (*) as matching characters to filter entity rules to a subset of entities. A wildcard represents 0 or more characters. For example, the entity rule host matches appserver* could include appserver1, appserver2, or just appserver. Wildcards are currently the only type of masking character allowed in entity rules. Other masking techniques such as regex are not allowed.

Prerequisite

Entity rule creation exists within the service definition, so you must create a service before configuring its entity rules. For more information, see Overview of creating services in ITSI.

How to set up entity rules

You can set up entity rules to match entities based on entity aliases, info, or entity title. You can also create rules based on multiple AND/OR conditions. For more information and examples of the different fields within an entity, see Manually create a single entity in ITSI in the Entity Integrations guide.

For example, you want to add entity rules that identify your database servers, and those servers have aliases of host=mysql-01, host=mysql-02, host=mysql-03. This will essentially filter the service to only mysql entities, so the KPIs within the service will only monitor those entities. You can add an entity rule such as "host matches mysql*" to match with all entities with a value that starts with mysql in order to identify the servers on which to run the KPI search.

You also have the option to leave entity values blank. For example you could specify "web_server does not match" and leave the value field empty to include all values for the web_server field.

EntityRules.png

This entity rule matches the host field in Splunk data with servers beginning with mysql and displays all matches in the Matched Entities preview section. Review the matched entities to make sure all the expected entities are showing up. If you don't see the expected results, try modifying or removing entity rules. When you save the service, ITSI adds each server to all KPI searches in the service.

Filter entities out of a service

Use the "does not match" entity rule to filter entities out of a service rather than in. For example, if you want to filter out your database servers, you could add a rule such as "host does not match mysql*" so the KPI search does not run on those servers.

It is important to note that the "does not match" entity rule always acts as if it has a wildcard (*) at the end of the string you specify, filtering out all possibilities that start with the value rather than just that value.

For example, you have two entities, one with info field location = Z and another with location = ZZZ. If you create an entity rule: location does not match Z, no entities will match the service. Z acts as if it has a wildcard at the end of it, filtering out any info fields that begin with the letter "Z".

This is the default behavior. To work around this behavior, create an OR condition in the entity rules such that the logic works. For example,

Rule 1: location does not match A, B, C, ..., Z

OR

Rule 2: location matches ZZZ

Entity rules in service templates

Any entity rules without values that came from the template contain a Blank entity value.png icon. Provide a value to filter the service to a specific set of entities. These entity rule values are meant to be custom for each service. Some entity rules might have blank values intentionally and don't display the notification icon. Add or change entity rules as desired for the service. You can choose to preserve any custom entity rules you define in the service when you update the service template.

For more information, see Create a service from a service template in ITSI.

Last modified on 25 July, 2023
PREVIOUS
Import services from a search in ITSI
  NEXT
Add service dependencies in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters