Overview of entity types in ITE Work
(ITE Work) visualizes entity data using entity types, analysis data filters, and navigations. ITE Work has default configurations for supported integrations. Analysis data filters and navigations are components of entity types. You can create custom entity types, analysis data filters, and navigations. For more information about configuring entity types and their components, see Create entity types in ITE Work.
How ITE Work uses entity types
Entity types define how to classify a type of data source. For example, there are Linux, Windows, Kubernetes, and VMware vCenter Server entity types. Entity types can represent physical hosts, containers, virtual environments, and cloud providers.
Each entity type contains zero or more vital metrics, analysis data filters, and navigations that define the data sources and visualizations for each entity associated with the entity type. Analysis data filters and navigations are components of entity types. You can create, modify or delete analysis data filters and navigations for a specific entity type. You can't create, modify, or delete a single analysis data filter or navigation for multiple entity types at the same time.
How ITE Work uses analysis data filters with entity types
Analysis data filters associate entity types with data sources. Analysis data filters are data collection rules that define data sources. They are split into two data types: metrics and events. Every supported entity type comes with at least one default metrics filter and one default events filter that populates the Analysis Workspace with data. Analysis data filters determine which data you can view in the Entity Analysis Dashboard. For more information about this dashboard, see Entity Analysis dashboard in ITE Work.
Each analysis data filter contains a static filter for specific data sources and an entity field filter to match data sources to a specific entity. Use static filters to include or exclude specific entity field-value pairs. Use an entity field filter to pass entity-specific information in the navigation URL. Here's an example analysis data filter for metrics for AWS EC2 instances:
{ \ "title": "AWS EC2 metrics", \ "type": "metrics", \ "static_filter": { \ "type": "include", \ "field": "metric_name", \ "values": ["AWS/EC2.*"] \ }, \ "entity_field_filter": { \ "type": "entity", \ "data_field": "InstanceId", \ "entity_field": "InstanceId" \ } \ }, \
The static_filter
captures all events where metric_name = AWS/EC2.*
. ITE Work correlates a metric or log event to an entity when the data_field
of the event matches the entity_field
of the entity. The entity_field
can be any entity alias or entity information field you associated with an entity.
Navigations define parameters to send to a URL for an entity type. Use navigations to specify a URL that points to a dashboard or other resource for the entity and a set of parameters that let you specify entity information to pass as part of the URL parameters.
You can view navigations from an entity's information panel in the entity health page. Default AWS and Microsoft Azure entity types have a default navigation that displays a dashboard in an entity's Overview Dashboard.
Default entity types and their properties
Entity types and their analysis data filters, navigations, and vital metrics are defined in $SPLUNK_HOME/etc/apps/SA-ITOA/default/itsi_entity_type.conf
. For more information about this file, see itsi_entity_type.conf in the Administration Manual.
Entity type | Analysis data filter | Navigation | Vital metrics |
---|---|---|---|
*nix |
|
*nix Overview Dashboard |
|
Unix/Linux Add-on |
|
Unix and Linux Add-on Overview Dashboard |
|
Windows |
|
Windows Overview Dashboard |
|
Kubernetes Node |
|
N/A |
|
Kubernetes Pod |
|
N/A |
|
VMware Cluster |
|
VMware Cluster Overview Dashboard |
|
VMware Datastore |
|
VMware Datastore Overview Dashboard |
|
VMware ESXi Host |
|
VMware ESXi Overview Dashboard |
|
VMware vCenter |
|
VMware vCenter Overview Dashboard |
|
VMware VM |
|
VMware VM Overview Dashboard |
|
(*) Represents the key metric for the entity type.
Default entity types and data collection
The following table includes the recommended methods to get data in for each of the default entity types.
Entity type | Data Collection Method | Splunk Add-ons required | Additional software required |
---|---|---|---|
*nix | Collectd (HEC) | N/A | collectd |
Unix/Linux Add-on | Scripted metrics inputs | Splunk Add-on for Unix and Linux | sysstat |
Windows | Perfmon inputs | N/A | N/A |
Kubernetes Node | Splunk Connect for Kubernetes (HEC) | N/A | Splunk Connect for Kubernetes, helm |
Kubernetes Pod | Splunk Connect for Kubernetes (HEC) | N/A | Splunk Connect for Kubernetes, helm |
VMware Cluster | Data Collection Node (HF, various inputs) | Splunk Add-on for VMware Metrics | N/A |
VMware Datastore | Data Collection Node (HF, various inputs) | Splunk Add-on for VMware Metrics | N/A |
VMware ESXi Host | Data Collection Node (HF, various inputs) | Splunk Add-on for VMware Metrics | N/A |
VMware vCenter | Data Collection Node (HF, various inputs) | Splunk Add-on for VMware Metrics | N/A |
VMware VM | Data Collection Node (HF, various inputs) | Splunk Add-on for VMware Metrics | N/A |
Manually delete entities you don't want to analyze in ITE Work | Edit a default entity type in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1
Feedback submitted, thanks!