Splunk® IT Essentials Work

Entity Integrations Manual

This documentation doesn't apply to the most recent version of Splunk IT Essentials Work.
This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Use custom indexes in ITE Work

The default metrics index for entity metrics data is itsi_im_metrics. To use another metrics index, you have to update the itsi_im_metrics_indexes search macro to include the index. You can include multiple metrics indexes in the search macro.

You can create custom indexes to store metrics and log data for (ITE Work) entity integrations. For more information about creating custom indexes, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers guide.

Use custom entity metrics indexes

Entity discovery searches, vital metrics, and dashboards use macros to define which indexes to search in

Metrics you collect with ITE Work entity integrations ordinarily have the itsi_im_metrics source type. This source type performs important data transforms before indexing. Use the itsi_im_metrics source type with any custom metrics index you create.

Metrics you collect for default entity classes with a supported data collection method include the itsi_im_metrics source type.

Metrics for custom entity classes may not include the required source type. When you include the required source type at the index level, all data you send to the index includes the required source type.

Include a custom metrics index in the itsi_im_metrics_indexes search macro so you can monitor hosts in your infrastructure that send data to the custom index. You can add multiple metrics indexes to the metrics index macro.

Find and update the itsi_im_metrics_indexes macro by performing the following steps:

  1. Go to Settings > Advanced search and select Search macros.
  2. Select the itsi_im_metrics_indexes macro.
  3. For the Definition, include the custom index you want to use. If you use multiple metrics indexes, add each one like this:
    index = linux_metrics OR index = windows_metrics
    
  4. When you're done, save the macro.

Use custom entity metrics indexes for entity types

The vital metrics displayed on the Infrastructure Overview page are based on macros with the format itsi_entity_type_*. Update this macro to include a custom metrics index so you can monitor hosts in your infrastructure that send data to the custom index. You can add multiple metrics indexes to the itsi_entity_type_* macro.

  1. Go to Settings > Advanced search and select Search macros.
  2. Select the itsi_entity_type_* macro.
  3. For example, the itsi_entity_type_nix_metrics_indexes is a macro for the Linux entity type.
  4. For the Definition, include the custom index you want to use. If you use multiple metrics indexes, add each one like this:
    index = itsi_im_metrics OR index = linux_metrics
    
  5. When you're done, save the macro.
Last modified on 28 February, 2024
Configure the HTTP Event Collector to collect entity integration data in ITE Work   Configure a universal forwarder to send data to ITE Work in Splunk Cloud Platform

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters