Splunk® IT Essentials Work

Entity Integrations Manual

Set up a recurring import of entities in ITE Work

After you bulk import entities in (ITE Work), you can configure recurring imports to update existing entities and create new entities. ITE Work uses a saved search for recurring imports. If you have existing, recurring imports from a CSV file that use modular inputs for the import action, those recurring imports continue to work, but you can't create new recurring imports from a CSV file with a modular input.

If you performed a bulk import from a Splunk search, configure a recurring import in Splunk Web. ITE Work creates a saved search that triggers the itsi_import_objects alert action for search results. The alert action uses the itsiimportobjects command to import entities.

If you performed a bulk import from a CSV file, deploy a universal forwarder to monitor the file and send data to indexes ITE Work uses to create and update entities. When ITE Work indexes the data, import events from a Splunk search and then set up a recurring import using a saved search.

Prerequisites

Requirement Description
ITE Work role You have to log in as a user with the itoa_admin or itoa_team_admin role.
Entity creation Before setting up a recurring import of entities, you have to have already imported entities from a Splunk search or CSV file.

Set up a recurring entity import from a CSV file

Follow these steps to create a recurring entity import from data you store in a CSV file. You have to set up a universal forwarder on the system you store the CSV file to monitor the file and send data to your Splunk platform deployment, run an import from a Splunk search, and finally set up a recurring import from the Splunk search.

For more information about monitoring files, see Monitor files and directories in the Splunk Enterprise Getting Data In manual.

You can't set up a recurring import directly from a CSV file in Splunk Web. Instead, follow these steps:

Steps

  1. Download and install a universal forwarder on the system that stores the CSV file. For information about setting up a universal forwarder, see Install the universal forwarder software in the Splunk Universal Forwarder Forwarder Manual.
  2. To enable the forwarder to send data to Splunk Cloud Platform, download the universal forwarder credentials file. For instructions, see the appropriate topic for the operating system that stores the CSV file in the Introduction to Getting Data In chapter of the Splunk Cloud Platform Admin Manual. This chapter includes instructions for getting data in from Amazon Web Services, Microsoft Azure, *nix, Windows, and local files and directories.
  3. If your Splunk platform deployment wasn't configured for receiving yet, configure receiving now. For more information, see Enable a receiver in the Splunk Enterprise Forwarding Data manual.
  4. Configure forwarding on the universal forwarder. For more information, see Configure the universal forwarder using configuration files in the Splunk Universal Forwarder Forwarder Manual.
  5. Configure the universal forwarder to monitor the CSV file that contains data you want to import to ITE Work where necessary. as entities. Use monitor stanzas in the inputs.conf file on the universal forwarder to monitor the CSV file and send data to your Splunk platform deployment. An example monitor stanza looks like this:
    [monitor:///path/to/my/file.csv]
    disabled = 0
    sourcetype = csv
    
    If the file ends with .csv, you don't have to specify the source type. For more information about configuring a universal forwarder to monitor the CSV file, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In manual.
  6. Restart the universal forwarder:
    $SPLUNK_HOME/bin/splunk restart
    
  7. Once data from the CSV file is indexed in your Splunk platform deployment that runs ITE Work , manually import entities from a Splunk search. For more information about manually importing entities from a Splunk search, see Manually import entities from a Splunk search in ITE Work .
  8. Set up a recurring import from the import with a Splunk search.

Set up a recurring entity import from a Splunk search

Follow these steps to create a recurring entity import from a Splunk search.

The recurring import search executes as splunk-system-user, which returns entities from datasets that exist in indexes that the user creating the import might not have access to.

To set up a recurring import, you must have already set up an entity import from a Splunk search. For more information, see Manually import entities from a Splunk search in ITE Work .

  1. After the import from the search process is complete, click Set up Recurring Import.
  2. Provide a name for the recurring import.
  3. Set the scheduled time and frequency to run the import.
  4. Note: Configure the scheduled time based on the Splunk server's timezone.

  5. Click Submit. ITE Work creates a new saved search in the savedsearches.conf file. The name of the saved search is ITSI Import Objects - <importName>, where importName is the name of the import you specified when setting up the recurring import. The saved search triggers an alert action which runs a search command to add entities to ITE Work.

Modify or delete a recurring import

Modify or delete the saved search ITE Work created when you configured the recurring import from a search. Follow these steps to modify or delete a recurring import from a search.

  1. From Splunk Web, go to Settings > Searches, reports, and alerts.
  2. Find the saved search ITE Work created when you configured the recurring import. By default, the name of the saved search starts with ITSI Import Objects.
  3. Click Edit and select among these options to modify the saved search:
    Option Description
    Edit Search Change the description, search string, earliest time, or latest time for the recurring import.
    Edit Schedule Change the time interval to control how often the recurring import runs.
    Advanced Edit Change the field settings for the recurring import. For example, you can change the entity title and other parameters from here.
  4. If you want to delete the recurring import, click Edit and select Delete for the corresponding saved search.
Last modified on 28 February, 2024
entity discovery searches   Overview of entity types in

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters