This documentation does not apply to the most recent version of Content Pack for Splunk Observability Cloud.
For documentation on the most recent version, go to the latest release.
Entity search reference for the Content Pack for Splunk Observability Cloud
These entity searches are packaged in the content pack. You can enable them as part of installation steps. The searches are provided here as a point of reference. If you need manually create the entity searches, see Manually import entities.
Entity type search SPL and column mapping SPL and column mapping
ITSI Import Objects - Splunk-APM Application Entity Search: Get a list of entities from Splunk APM.
Entity search SPL:
| mstats avg(*) span=5m WHERE "index"="sim_metrics" AND sf_environment="*" GROUPBY sf_environment sf_service sf_streamLabel sf_organizationID sf_realm | eval entityType="SplunkAPM", description="Splunk Application Performance Monitoring (APM)", type="SplunkAPM", SplunkApmEntity = sf_service + "-" + sf_environment + "-" + sf_organizationID + "-" + sf_realm | table SplunkApmEntity sf_service sf_environment entityType description type sf_organizationID sf_realm
Column mapping:
| Column name | Import column as |
|---|---|
| sf_service | Entity Title |
| description | Entity Description |
| entityType | Entity Type |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_SIM_AWS_EC2: Get a list of recently active AWS EC2 instances.
Entity search SPL:
| mcatalog values(_dims) where index=sim_metrics AND namespace=AWS/EC2 AND aws_account_id=* AND InstanceId=* by InstanceId, aws_account_id, aws_region, aws_image_id, aws_instance_type, sf_organizationID, sf_realm | dedup InstanceId | rename InstanceId as dim.InstanceId aws_account_id as dim.AccountID aws_region as dim.Region aws_image_id as dim.ImageId aws_instance_type as dim.InstanceType sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "AWS", entity_type="AWS EC2", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", SignalFxNavigator = "AWS%20instances", SignalFxCloudRegion = "aws_region:" + Region, SignalFxCloudServiceId = InstanceId, SignalFxCloudAccountId = "aws_account_id:" + AccountID
Column mapping:
| Column name | Import column as |
|---|---|
| InstanceId | Entity Title |
| Region | Entity Alias |
| AccountId | Entity Alias |
| entity_type_field | Entity Type |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_SIM_AWS_Lambdas: Get a list of recently active AWS Lambda functions.
Entity search SPL:
| mcatalog values(_dims) where index=sim_metrics AND aws_account_id=* AND namespace="AWS/Lambda" AND Resource=* by aws_function_name, aws_account_id, aws_region, sf_organizationID, sf_realm | dedup aws_function_name, aws_account_id, aws_region | rename Resource as dim.Resource aws_function_name as dim.FunctionName aws_account_id as dim.AccountID aws_region as dim.Region sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "AWS", entity_type="AWS Lambda", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Function name: " + FunctionName + " in Region: " + Region + " in Account: " + AccountID, SignalFxNavigator = "lambda", SignalFxCloudRegion = "aws_region:" + Region, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "aws_account_id:" + AccountID, ITSIUniqueId = AccountID + Region + FunctionName
Column mapping:
| Column name | Import column as |
|---|---|
| FunctionName | Entity Title |
| AccountId | Entity Alias |
| Region | Entity Alias |
| ITSIUniqueId | Entity Alias |
| entity_type_field | Entity Type |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_SIM_Azure_Functions: Get a list of recently active Azure functions.
Entity search SPL:
| mcatalog values(_dims) where index=sim_metrics AND azure_resource_id=* AND is_Azure_Function=true by azure_resource_name, azure_region, azure_resource_id, azure_resource_group_name, azure_subscription_display_name, subscription_id, sf_organizationID, sf_realm | dedup azure_resource_name, azure_region, azure_resource_id | rename azure_resource_id as dim.ResourceId azure_resource_name as dim.FunctionName azure_region as dim.Location azure_resource_group_name as dim.ResourceGroupName azure_subscription_display_name as dim.SubscriptionName subscription_id as dim.SubscriptionId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "Azure", entity_type="Azure Functions", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Function name: " + FunctionName + " in Location: " + Location + " in Subscription: " + SubscriptionId, SignalFxNavigator = "azurefunctions", SignalFxCloudRegion = "azure_region:" + Location, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "subscription_id:" + SubscriptionId, ITSIUniqueId = SubscriptionId + Location + FunctionName
Column mapping:
| Column name | Import column as |
|---|---|
| FunctionName | Entity Title |
| SubscriptionId | Entity Alias |
| Location | Entity Alias |
| ResourceId | Entity Alias |
| ITSIUniqueId | Entity Alias |
| entity_type_field | Entity Type |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_SIM_Azure_VM: Get a list of recently active Azure virtual machine instances.
Entity search SPL:
| mcatalog values(_dims) where index=sim_metrics AND azure_resource_id=* AND (resource_type="Microsoft.Compute/virtualMachines" OR resource_type="Microsoft.ClassicCompute/virtualMachines" OR resource_type="Microsoft.Compute/virtualMachineScaleSets/virtualMachines") by azure_resource_id, azure_resource_name, azure_region, azure_resource_group_name, azure_subscription_display_name, subscription_id, sf_organizationID, sf_realm | dedup azure_resource_id, azure_resource_name | rename azure_resource_id as dim.ResourceId azure_resource_name as dim.ResourceName azure_region as dim.Location azure_resource_group_name as dim.ResourceGroupName azure_subscription_display_name as dim.SubscriptionName subscription_id as dim.SubscriptionId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud="Azure", entity_type="Azure VM", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Resource ID: " + ResourceId + ", Resource name: " + ResourceName, SignalFxNavigator = "azurevirtualmachines", SignalFxCloudRegion = "azure_region:" + Location, SignalFxCloudServiceId = ResourceName, SignalFxCloudAccountId = "subscription_id:" + SubscriptionId, ITSIUniqueId = ResourceId + ResourceName
Column mapping:
| Column name | Import column as |
|---|---|
| ResourceName | Entity Title |
| Location | Entity Alias |
| SubscriptionId | Entity Alias |
| ResourceId | Entity Alias |
| ITSIUniqueId | Entity Alias |
| entity_type_field | Entity Type |
| entity_description_fields | Entity Description |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_SIM_GCP_Functions: Get a list of recently active GCP Cloud functions.
Entity search SPL:
| mcatalog values(_dims) where index=sim_metrics AND function_name=* AND gcp_id=* by gcp_id, function_name, region, project_id, gcp_project_number, gcp_project_name, sf_organizationID, sf_realm | dedup gcp_id | rename gcp_id as dim.Id function_name as dim.FunctionName region as dim.Zone project_id as dim.ProjectId gcp_project_number as dim.ProjectNumber gcp_project_name as dim.ProjectName sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "GCP", entity_type="GCP Cloud Functions", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Project: " + ProjectId + ", Function name: " + FunctionName + ", Zone: " + Zone, SignalFxNavigator = "gcp%20cloudfunctions", SignalFxCloudRegion = "zone:" + Zone, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "project_id:" + ProjectId, ITSIUniqueId = ProjectId + Zone + FunctionName
Column mapping:
| Column name | Import column as |
|---|---|
| FunctionName | Entity Title |
| ProjectId | Entity Alias |
| Zone | Entity Alias |
| ITSIUniqueId | Entity Alias |
| entity_type_field | Entity Type |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_SIM_GCP_Compute: Get a list of recently active GCP Compute Engine instances.
Entity search SPL:
| mcatalog values(_dims) where index=sim_metrics AND gcp_id=* AND service=compute by gcp_id, service, instance_id, instance_name, zone, project_id, gcp_project_number, gcp_project_name, gcp_machine_type, sf_organizationID, sf_realm | dedup instance_id | rename gcp_id as dim.gcp_id service as dim.service instance_id as dim.InstanceId instance_name as dim.InstanceName zone as dim.Zone project_id as dim.ProjectId gcp_project_number as dim.ProjectNumber gcp_project_name as dim.ProjectName gcp_machine_type as dim.MachineType sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "GCP", entity_type="GCP Compute Engine", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description_field="Project ID: " + ProjectId + ", Instance name: " + InstanceName, SignalFxNavigator = "gcp%20compute", SignalFxCloudRegion = "zone:" + Zone, SignalFxCloudServiceId = gcp_id, SignalFxCloudAccountId = "gcp_project_number:" + ProjectNumber, ITSIUniqueId = ProjectId + InstanceName
Column mapping:
| Column name | Import column as |
|---|---|
| gcp_id | Entity Title |
| ProjectId | Entity Alias |
| Zone | Entity Alias |
| InstanceId | Entity Alias |
| ITSIUniqueId | Entity Alias |
| InstanceName | Entity Alias |
| entity_type_field | Entity Type |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_OS_Hosts: Get a list of recently active hosts.
Entity search SPL:
| mcatalog values(_dims) where index=sim_metrics AND cluster!=* AND host.name=* by host.name,extracted_host, computationId, sf_organizationID, sf_realm | dedup host.name | rename host.name as dim.host_name extracted_host as dim.extracted_host computationId as dim.computationId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "My Data Center Hosts", entity_type="OS Hosts", entity_type_field=entity_type, SignalFxNavigator = "OS%20Host", SignalFxCloudServiceId = host_name, ITSIUniqueId = host_name + "_" + computationId
Column mapping:
| Column name | Import column as |
|---|---|
| host_name | Entity Title |
| computationId | Entity Alias |
| ITSIUniqueId | Entity Alias |
| entity_type_field | Entity Type |
| All other fields | Entity Information Field |
ITSI Import Objects - Get_SSM_Entities: Get a list of synthetic checks.
Entity search SPL:
| synthetics checks | spath | replace real_browser with "Synthetic Real Browser" http with "Synthetic HTTP" content with "Synthetic Content" benchmark with "Synthetic Benchmark" api with "Synthetic API" | fillnull | rename links.last_run as last_run status.last_response_time as "Response Time" status.last_code as "Response Code" | table name, id, type, "Response Time", "Response Code", last_run
Column mapping:
| Column name | Import column as |
|---|---|
| name | Entity Title |
| id | Entity Alias |
| type | Entity Type |
| all other fields | Entity Information Fields |
Manually import entities
For each Splunk Observability Cloud entity you want to import, follow these steps:
- Go to Configuration > Entities from the ITSI or IT Essentials Work menu.
- Select Create Entity > Import from Search.
- Paste the SPL for the entity type you want to import in the Ad hoc Search field and click the search icon to preview your entities.
- Click Next.
- On the Entity/Service Import screen, map the columns as specified for the entity type.
- Click Import
- Click Set Up Recurring Import.
- Enter a name for your recurring import. For example, "Get_OC_Entities."
- Select a schedule. We recommend scheduling it to run every hour.
- Click Submit.
When you've finished importing your entities, go to the Service Analyzer > Default Analyzer to see your services and KPIs light up.
Last modified on 14 January, 2022
| KPI reference for the Content Pack for Splunk Observability Cloud |
This documentation applies to the following versions of Content Pack for Splunk Observability Cloud: 1.0.0
Download manual
Feedback submitted, thanks!