Splunk® IT Service Intelligence

Entity Integrations Manual

This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

Create a single entity in ITSI

An entity is any component (for example, a host or business process) that requires management to deliver a service. Each entity has specific attributes and relationships to other processes, providing a means to filter your data. Entities contain alias fields and informational fields ITSI associates with indexed events. For more, see Overview of entity integrations in ITSI.

You can associate entities with entity types. Entity types define visualizations and resources for entities. For more information, see Overview of entity types in ITSI.

Prerequisites

Requirement Description
ITSI role You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role.

Steps

Follow these steps to manually create a single entity.

  1. From the ITSI main menu, go to Configuration > Entity Management.
  2. Select Create Entity > Create Single Entity.
  3. Configure the following fields to define your entity:
    Field Description
    Name The name of the entity.
    Description Provide a description of the entity. You can view the description from the Entities lister page later.
    Team All entities are created in the Global team. You can't modify this field.
    Aliases

    Field-value pairs that identify the entity. Fields and values are case insensitive. For example:

    host=webserver-01

    IP=10.2.1.1

    MAC=C6:4B:B9:E8:E6:2A

    If a field has multiple values, separate them with commas. For example, host = webserver-01, webserver-01.splunk.com .

    When creating an entity alias, make sure the key-value pair is unique. ITSI relies on alias key-value pairs to identify entities in visualizations such as Service Analyzer and Episode Review, and ensure that information is displayed accurately for each entity. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.

    Info Fields

    Field-value pairs that associate specific attributes with the entity. Info fields are like common fields, and can have the same values across entities. For example, an info field like datacenter=vault13 can be common to all the entities of the same data center. Fields and values are case insensitive. For example:

    role=webserver

    owner=Ops

    If a field has multiple values, separate them with commas. For example, component=metrics, store.

    Alias and info fields and values have the following restrictions:

    • Unsupported characters in field names: dollar sign ($) as the first character, single quotes ('), double quotes ("), equal sign (=), period (.), and commas (,).
    • Unsupported characters in field values: dollar sign ($) as the first character, single quotes ('), double quotes ("), and equal sign (=). Using commas (,) will split a field value into two separate fields with two names.
  4. Select existing Entity Types you want to associate the entity with. You can select zero or more entity types. If you don't have existing entity types, create them first. You can edit the entity later and associate it with entity types. For more information about creating entity types, see Configure entity types in ITSI.
  5. Click Create. The entity appears in the Entities lister page.

Do more with ITSI

After you create entities, you can use entity rules to associate entities with services, included with ITSI. For more information about entity rules and configuring services, see Overview of creating services in ITSI in the ITSI Service Insights manual.

Last modified on 17 January, 2024
Overview of creating custom content packs in ITSI   Import entities from a search in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters