Content Pack for Splunk Observability Cloud

Content Pack for Splunk Observability Cloud

Entity search reference for the Content Pack for Splunk Observability Cloud

These entity searches are packaged in the content pack. You can enable them as part of installation steps. The searches are provided here as a point of reference. If you need manually create the entity searches, see Manually import entities.

Entity type search SPL and column mapping SPL and column mapping

ITSI Import Objects - Splunk-APM Application Entity Search: Get a list of entities from Splunk APM.

Entity search SPL:

| mstats avg(*) span=5m WHERE "index"="sim_metrics" AND sf_environment="*" GROUPBY sf_environment sf_service sf_streamLabel sf_organizationID sf_realm 
| eval entityType="SplunkAPM", description="Splunk Application Performance Monitoring (APM)", type="SplunkAPM", SplunkApmEntity = sf_service + "-" + sf_environment + "-" + sf_organizationID + "-" + sf_realm 
| table SplunkApmEntity sf_service sf_environment entityType description type sf_organizationID sf_realm

Column mapping:

Column name Import column as
sf_service Entity Title
description Entity Description
entityType Entity Type
All other fields Entity Information Field

ITSI Import Objects - Get_SIM_AWS_EC2: Get a list of recently active AWS EC2 instances.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics  AND namespace=AWS/EC2 AND aws_account_id=* AND InstanceId=* by InstanceId, aws_account_id, aws_region, aws_image_id, aws_instance_type, sf_organizationID, sf_realm | dedup InstanceId | rename InstanceId as dim.InstanceId aws_account_id as dim.AccountID aws_region as dim.Region aws_image_id as dim.ImageId aws_instance_type as dim.InstanceType sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "AWS", entity_type="AWS EC2", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", SignalFxNavigator = "AWS%20instances", SignalFxCloudRegion = "aws_region:" + Region, SignalFxCloudServiceId = InstanceId, SignalFxCloudAccountId = "aws_account_id:" + AccountID

Column mapping:

Column name Import column as
InstanceId Entity Title
Region Entity Alias
AccountId Entity Alias
entity_type_field Entity Type
All other fields Entity Information Field

ITSI Import Objects - Get_SIM_AWS_Lambdas: Get a list of recently active AWS Lambda functions.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND aws_account_id=* AND namespace="AWS/Lambda" AND Resource=* by aws_function_name, aws_account_id, aws_region, sf_organizationID, sf_realm | dedup aws_function_name, aws_account_id, aws_region | rename Resource as dim.Resource aws_function_name as dim.FunctionName aws_account_id as dim.AccountID aws_region as dim.Region sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "AWS", entity_type="AWS Lambda", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Function name: " + FunctionName + " in Region: " + Region + " in Account: " + AccountID, SignalFxNavigator = "lambda", SignalFxCloudRegion = "aws_region:" + Region, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "aws_account_id:" + AccountID, ITSIUniqueId = AccountID + Region + FunctionName

Column mapping:

Column name Import column as
FunctionName Entity Title
AccountId Entity Alias
Region Entity Alias
ITSIUniqueId Entity Alias
entity_type_field Entity Type
All other fields Entity Information Field

ITSI Import Objects - Get_SIM_Azure_Functions: Get a list of recently active Azure functions.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND azure_resource_id=* AND is_Azure_Function=true by azure_resource_name, azure_region, azure_resource_id, azure_resource_group_name, azure_subscription_display_name, subscription_id, sf_organizationID, sf_realm | dedup azure_resource_name, azure_region, azure_resource_id | rename azure_resource_id as dim.ResourceId azure_resource_name as dim.FunctionName azure_region as dim.Location azure_resource_group_name as dim.ResourceGroupName azure_subscription_display_name as dim.SubscriptionName subscription_id as dim.SubscriptionId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "Azure", entity_type="Azure Functions", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Function name: " + FunctionName + " in Location: " + Location + " in Subscription: " + SubscriptionId,  SignalFxNavigator = "azurefunctions", SignalFxCloudRegion = "azure_region:" + Location, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "subscription_id:" + SubscriptionId,  ITSIUniqueId = SubscriptionId + Location + FunctionName

Column mapping:

Column name Import column as
FunctionName Entity Title
SubscriptionId Entity Alias
Location Entity Alias
ResourceId Entity Alias
ITSIUniqueId Entity Alias
entity_type_field Entity Type
All other fields Entity Information Field

ITSI Import Objects - Get_SIM_Azure_VM: Get a list of recently active Azure virtual machine instances.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND azure_resource_id=* AND (resource_type="Microsoft.Compute/virtualMachines" OR resource_type="Microsoft.ClassicCompute/virtualMachines" OR resource_type="Microsoft.Compute/virtualMachineScaleSets/virtualMachines")  by azure_resource_id, azure_resource_name, azure_region, azure_resource_group_name, azure_subscription_display_name, subscription_id, sf_organizationID, sf_realm | dedup azure_resource_id, azure_resource_name | rename azure_resource_id as dim.ResourceId azure_resource_name as dim.ResourceName azure_region as dim.Location azure_resource_group_name as dim.ResourceGroupName azure_subscription_display_name as dim.SubscriptionName subscription_id as dim.SubscriptionId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud="Azure", entity_type="Azure VM", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Resource ID: " + ResourceId + ", Resource name: " + ResourceName, SignalFxNavigator = "azurevirtualmachines", SignalFxCloudRegion = "azure_region:" + Location, SignalFxCloudServiceId = ResourceName, SignalFxCloudAccountId = "subscription_id:" + SubscriptionId, ITSIUniqueId = ResourceId + ResourceName

Column mapping:

Column name Import column as
ResourceName Entity Title
Location Entity Alias
SubscriptionId Entity Alias
ResourceId Entity Alias
ITSIUniqueId Entity Alias
entity_type_field Entity Type
entity_description_fields Entity Description
All other fields Entity Information Field

ITSI Import Objects - Get_SIM_GCP_Functions: Get a list of recently active GCP Cloud functions.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND function_name=* AND gcp_id=* by gcp_id, function_name, region, project_id, gcp_project_number, gcp_project_name, sf_organizationID, sf_realm | dedup gcp_id | rename gcp_id as dim.Id function_name as dim.FunctionName region as dim.Zone project_id as dim.ProjectId gcp_project_number as dim.ProjectNumber gcp_project_name as dim.ProjectName sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "GCP", entity_type="GCP Cloud Functions", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Project: " + ProjectId + ", Function name: "  + FunctionName + ", Zone: " + Zone, SignalFxNavigator = "gcp%20cloudfunctions", SignalFxCloudRegion = "zone:" + Zone, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "project_id:" + ProjectId, ITSIUniqueId = ProjectId + Zone + FunctionName

Column mapping:

Column name Import column as
FunctionName Entity Title
ProjectId Entity Alias
Zone Entity Alias
ITSIUniqueId Entity Alias
entity_type_field Entity Type
All other fields Entity Information Field

ITSI Import Objects - Get_SIM_GCP_Compute: Get a list of recently active GCP Compute Engine instances.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND gcp_id=* AND service=compute by gcp_id, service, instance_id, instance_name, zone, project_id, gcp_project_number, gcp_project_name, gcp_machine_type, sf_organizationID, sf_realm | dedup instance_id | rename gcp_id as dim.gcp_id service as dim.service instance_id as dim.InstanceId instance_name as dim.InstanceName zone as dim.Zone project_id as dim.ProjectId gcp_project_number as dim.ProjectNumber gcp_project_name as dim.ProjectName gcp_machine_type as dim.MachineType sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "GCP", entity_type="GCP Compute Engine", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description_field="Project ID: " + ProjectId + ", Instance name: " + InstanceName, SignalFxNavigator = "gcp%20compute", SignalFxCloudRegion = "zone:" + Zone, SignalFxCloudServiceId = gcp_id, SignalFxCloudAccountId = "gcp_project_number:" + ProjectNumber, ITSIUniqueId = ProjectId + InstanceName

Column mapping:

Column name Import column as
gcp_id Entity Title
ProjectId Entity Alias
Zone Entity Alias
InstanceId Entity Alias
ITSIUniqueId Entity Alias
InstanceName Entity Alias
entity_type_field Entity Type
All other fields Entity Information Field

ITSI Import Objects - Get_OS_Hosts: Get a list of recently active hosts.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND cluster!=* AND host.name=* by host.name,extracted_host, computationId, sf_organizationID, sf_realm | dedup host.name | rename host.name as dim.host_name  extracted_host as dim.extracted_host computationId as dim.computationId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "My Data Center Hosts", entity_type="OS Hosts", entity_type_field=entity_type, SignalFxNavigator = "OS%20Host", SignalFxCloudServiceId = host_name, ITSIUniqueId = host_name + "_" + computationId

Column mapping:

Column name Import column as
host_name Entity Title
computationId Entity Alias
ITSIUniqueId Entity Alias
entity_type_field Entity Type
All other fields Entity Information Field


ITSI Import Objects - Get_RUM_APPS: Get a list of recent apps using RUM.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND app=* AND (os.name=Android OR os.name=iOS) by app, app.version, computationId, sf_environment, sf_organizationID, sf_product, sf_realm, os.name
| eval app_version='app.version', os_name='os.name'
| eval entity_type=""RUM App Metrics"", entity_type_field=entity_type+"", Real User Monitoring"", app_identifier= app +"":""+ app_version +"":""+ os_name +"":""+ sf_environment +"":""+ sf_organizationID
| dedup app_identifier

Column mapping:

Column name Import column as
entity_title_field app_identifier
entity_identifier_fields (entity alias) os_name, app_version, sf_environment, app
entity_type_field entity_type
entity_informational_fields computationId, sf_organizationID, sf_product, sf_realm, entity_type

entity_description_field

entity_type_field

ITSI Import Objects - Get_RUM_BROWSER: Get a list of recent browsers using RUM.

Entity search SPL:

"| mcatalog values(_dims) where index=sim_metrics AND app=* AND (sf_ua_osname=Linux OR sf_ua_osname=Windows OR sf_ua_osname=""Mac OS X"") by app, computationId, sf_environment, sf_organizationID, sf_product, sf_realm, sf_ua_browsername, sf_ua_osname
| eval entity_type=""RUM Browser Metrics"", entity_type_field=entity_type+"", Real User Monitoring"", browsers=sf_ua_browsername +"":""+ app +"":""+ sf_ua_osname 
| dedup browsers"

Column mapping:

Column name Import column as
entity_identifier_fields (entity alias) browsers, sf_ua_osname, sf_ua_browsername, sf_environment, app
entity_type_field entity_type
entity_informational_fields computationId, sf_organizationID, sf_product, sf_realm, entity_type

entity_description_field

entity_type_field

ITSI Import Objects - Get_RUM_SYNTHETICS: Get a list of recent synthetics using RUM.

Entity search SPL:

| mcatalog values(_dims) where index=sim_metrics AND app=* AND (sf_ua_osname=Rigor) by app, computationId, sf_environment, sf_organizationID, sf_product, sf_realm, sf_ua_browsername, sf_ua_osname
| eval entity_type=""RUM Synthetic Metrics"", entity_type_field=entity_type+"", Real User Monitoring"", syn_browsers=sf_ua_browsername +"":""+ app +"":""+ sf_ua_osname
| dedup syn_browsers"

Column mapping:

Column name Import column as
entity_title_field browsers
entity_identifier_fields (entity alias) sf_ua_osname, sf_ua_browsername, sf_environment, app
entity_type_field entity_type
entity_informational_fields computationId, sf_organizationID, sf_product, sf_realm, entity_type

entity_description_field

entity_type_field

ITSI Import Objects - SSM_get_entities_api: Get a list of API Tests.

Entity search SPL:

| mstats count(_value) as mval WHERE index="sim_metrics" AND metric_name=* AND test_type=api BY test, test_type, test_id, sf_realm | eval test_type="Synthetic API Test" | table test, test_id, test_type, sf_realm

Column mapping:

Column name Import column as
test Entity Title
test_id Entity Alias
Synthetic API Test Entity Type
sf_realm Entity Information Fields

ITSI Import Objects - SSM_get_entities_browser: Get a list of Browser Tests.

Entity search SPL:

| mstats count(_value) as mval WHERE index="sim_metrics" AND metric_name=* AND test_type=browser BY test, test_type, test_id, sf_realm | eval test_type="Synthetic Browser Test" | table test, test_id, test_type, sf_realm

Column mapping:

Column name Import column as
test Entity Title
test_id Entity Alias
Synthetic Browser Test Entity Type
sf_realm Entity Information Fields

ITSI Import Objects - SSM_get_entities_http: Get a list of HTTP Tests.

Entity search SPL:

| mstats count(_value) as mval WHERE index="sim_metrics" AND metric_name=* AND test_type=http BY test, test_type, test_id, sf_realm | eval test_type="Synthetic HTTP Test" | table test, test_id, test_type, sf_realm

Column mapping:

Column name Import column as
test Entity Title
test_id Entity Alias
Synthetic HTTP Test Entity Type
sf_realm Entity Information Fields


Manually import entities

For each Splunk Observability Cloud entity you want to import, follow these steps:

  1. Go to Configuration > Entities from the ITSI or IT Essentials Work menu.
  2. Select Create Entity > Import from Search.
  3. Paste the SPL for the entity type you want to import in the Ad hoc Search field and click the search icon to preview your entities.
  4. Click Next.
  5. On the Entity/Service Import screen, map the columns as specified for the entity type.
  6. Click Import
  7. Click Set Up Recurring Import.
    1. Enter a name for your recurring import. For example, "Get_OC_Entities."
    2. Select a schedule. We recommend scheduling it to run every hour.
    3. Click Submit.

When you've finished importing your entities, go to the Service Analyzer > Default Analyzer to see your services and KPIs light up.

Last modified on 04 June, 2024
KPI reference for the Content Pack for Splunk Observability Cloud  

This documentation applies to the following versions of Content Pack for Splunk Observability Cloud: 3.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters