Splunk® IT Essentials Work

Overview of Splunk IT Essentials Work

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Set up Splunk IT Essentials Work

Follow these high-level steps to get started with Splunk IT Essentials Work (ITE Work). We'll use monitoring Unix and Linux in ITE Work as our example use case throughout the topic.

To start using ITE Work, complete these tasks.

  1. Install add-ons to get data in.
  2. Create entities and entity types.
  3. Install prepackaged content.
  4. Monitor and analyze entities.
  5. Investigate and route alerts.

The following diagram lists the apps and features you can use to accomplish each task. Detailed information for each task follows the diagram.

"Diagram of the five steps with lists of relevant products and features. Go to the detailed steps that follow for more info."

Install add-ons to get data in

Install IT operations add-ons from Splunkbase to help you onboard data from various data sources.

For our use case, we'll use the Splunk Add-on for Unix and Linux to collect data from large-scale Unix and Linux environments. Download the add-on from Splunkbase. See Collect *nix data in ITE Work with the Splunk Add-on for Unix and Linux in the Entity Integrations Manual for configuration steps.

To see other available add-ons, go to the IT Operations category on Splunkbase to review available add-ons.

Create entities and entity types

After getting data in, your next task is to create entities and entity types.

What is an entity?

ITE Work treats data as entities. An entity is an IT component that requires management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that uniquely identify it. Entities are usually hosts but can also be cloud or virtual resources, network devices, applications, users, and cell towers.

These are some examples of ITE Work entities:

  • Physical, virtual, or cloud resources
  • Network devices such as switches or routers
  • AD and LDAP users
  • Storage systems, volumes
  • Operating systems or processes
  • Software applications, such as database applications, web-server applications, and business applications
  • Application process instances
  • Cell towers
  • IoT devices

What is an entity type?

ITE Work uses entity types to classify data sources. For example, there are *nix, Windows, Kubernetes, and VMware vCenter Server entity types. Entity types can represent physical hosts, containers, virtual environments, and cloud providers. Each entity type contains vital metrics, analysis data filters, and navigations that define the data sources and visualizations for each entity associated with the entity type.

There are two ways to create entities in ITE Work.

  1. You can regularly collect data and automatically create entities with entity integrations. These integrations are available:
  2. You can also manually create entities in ITE Work using these methods:

After you create your entities, they are automatically associated with corresponding default entity types. You can also create custom entity types. See Overview of entity types in ITE Work.

Because we're using the Splunk Add-on for Unix and Linux for our example use case, our entities and the corresponding entity type are automatically created. Follow these steps to check that your entities appear in ITE Work.

  1. From the ITE Work main menu, go to Configuration > Entities.
  2. Select the Unix/Linux Add-on entity type tile to view the entities created by the add-on. From here, you can view the associated entity details dashboard.

Install prepackaged content

After you create your entities, you can begin using this data. The Splunk App for Content Packs contains a library of Splunk content packs that provide prepackaged content for you to quickly set up your ITE Work environment and start using the data you've brought in. Content packs can include preconfigured KPI base searches, service templates, saved glass tables, and other objects for use within ITE Work. For a list of available content packs, see Available content packs in the Overview of the Splunk App for Content Packs manual.

Download the Splunk App for Content Packs from Splunkbase. See Install the Splunk App for Content Packs in the Overview of the Splunk App for Content Packs manual for installation steps.

After you install the Splunk App for Content Packs, you can install content packs that are relevant to the data you've brought in. In addition to the content packs shown on the Data Integrations page under Add structure to your data, there are content packs that are automatically installed when you install the Splunk App for Content Packs.


For our example use case, use the Content Pack for Unix and Linux Dashboards and Reports, which is automatically installed when you install the Splunk App for Content packs, to begin monitoring Unix and Linux.

Monitor and analyze entities

Now, you're ready to begin monitoring and analyzing your entities. Use these entity views to analyze log data associated with an entity and track entity metrics:

View Description
Infrastructure Overview Analyze the health of entities across various platforms. See About the Infrastructure Overview in ITE Work.
Event Data Search Analyze logs ITSI correlates with entities. See Event Data Search Dashboard in ITE Work.
Entity Analytics Analyze the performance of entities. See Analyze entity performance metrics in ITE Work.

Investigate and route alerts

Use the Alerts Review dashboard to investigate alerts caused by changes in the vital metrics for entity types in your environment. See Overview of Alerts Review in IT Essentials Work.

If you want to take an external action when an alert is triggered, such as sending an email, use the Content Pack for ITE Work Alert Routing. See Content Pack for ITE Work Alert Routing.

To group related alerts into episodes and access the Episode Review page, upgrade to IT Service Intelligence (ITSI).

Splunk IT Essentials Learn

Splunk IT Essentials Learn offers prepackaged procedures for a variety of common IT use cases. The procedures provide a starting point for ingesting your data into the Splunk platform and monitoring useful metrics within your environment. See Splunk IT Essentials Learn.

Last modified on 13 February, 2023
Introduction to ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.16.0 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters