Use custom indexes in ITE Work
The default metrics index for entity metrics data is itsi_im_metrics. To use another metrics index, you have to update the itsi_im_metrics_indexes
search macro to include the index. You can include multiple metrics indexes in the search macro.
You can create custom indexes to store metrics and log data for (ITE Work) entity integrations. For more information about creating custom indexes, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers guide.
Use custom entity metrics indexes
Entity discovery searches, vital metrics, and dashboards use macros to define which indexes to search in
Metrics you collect with ITE Work entity integrations ordinarily have the itsi_im_metrics
source type. This source type performs important data transforms before indexing. Use the itsi_im_metrics
source type with any custom metrics index you create.
Metrics you collect for default entity classes with a supported data collection method include the itsi_im_metrics
source type.
Metrics for custom entity classes may not include the required source type. When you include the required source type at the index level, all data you send to the index includes the required source type.
Include a custom metrics index in the itsi_im_metrics_indexes
search macro so you can monitor hosts in your infrastructure that send data to the custom index. You can add multiple metrics indexes to the metrics index macro.
Find and update the itsi_im_metrics_indexes
macro by performing the following steps:
- Go to Settings > Advanced search and select Search macros.
- Select the
itsi_im_metrics_indexes
macro. - For the Definition, include the custom index you want to use. If you use multiple metrics indexes, add each one like this:
index = linux_metrics OR index = windows_metrics
- When you're done, save the macro.
Use custom entity metrics indexes for entity types
The vital metrics displayed on the Infrastructure Overview page are based on macros with the format itsi_entity_type_*
. Update this macro to include a custom metrics index so you can monitor hosts in your infrastructure that send data to the custom index. You can add multiple metrics indexes to the itsi_entity_type_*
macro.
- Go to Settings > Advanced search and select Search macros.
- Select the
itsi_entity_type_*
macro. For example, the - For the Definition, include the custom index you want to use. If you use multiple metrics indexes, add each one like this:
index = itsi_im_metrics OR index = linux_metrics
- When you're done, save the macro.
itsi_entity_type_nix_metrics_indexes
is a macro for the Linux entity type.
Configure the HTTP Event Collector to collect entity integration data in ITE Work | Configure a universal forwarder to send data to ITE Work in Splunk Cloud Platform |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!