Set up a recurring import of entities in ITE Work
After you bulk import entities in (ITE Work), you can configure recurring imports to update existing entities and create new entities. ITE Work uses a saved search for recurring imports. If you have existing, recurring imports from a CSV file that use modular inputs for the import action, those recurring imports continue to work, but you can't create new recurring imports from a CSV file with a modular input.
If you performed a bulk import from a Splunk search, configure a recurring import in Splunk Web. ITE Work creates a saved search that triggers the itsi_import_objects
alert action for search results. The alert action uses the itsiimportobjects
command to import entities.
If you performed a bulk import from a CSV file, deploy a universal forwarder to monitor the file and send data to indexes ITE Work uses to create and update entities. When ITE Work indexes the data, import events from a Splunk search and then set up a recurring import using a saved search.
Prerequisites
Requirement | Description |
---|---|
ITE Work role | You have to log in as a user with the itoa_admin or itoa_team_admin role. |
Entity creation | Before setting up a recurring import of entities, you have to have already imported entities from a Splunk search or CSV file. |
Set up a recurring entity import from a CSV file
Follow these steps to create a recurring entity import from data you store in a CSV file. You have to set up a universal forwarder on the system you store the CSV file to monitor the file and send data to your Splunk platform deployment, run an import from a Splunk search, and finally set up a recurring import from the Splunk search.
For more information about monitoring files, see Monitor files and directories in the Splunk Enterprise Getting Data In manual.
You can't set up a recurring import directly from a CSV file in Splunk Web. Instead, follow these steps:
Steps
- Download and install a universal forwarder on the system that stores the CSV file. For information about setting up a universal forwarder, see Install the universal forwarder software in the Splunk Universal Forwarder Forwarder Manual.
- To enable the forwarder to send data to Splunk Cloud Platform, download the universal forwarder credentials file. For instructions, see the appropriate topic for the operating system that stores the CSV file in the Introduction to Getting Data In chapter of the Splunk Cloud Platform Admin Manual. This chapter includes instructions for getting data in from Amazon Web Services, Microsoft Azure, *nix, Windows, and local files and directories.
- If your Splunk platform deployment wasn't configured for receiving yet, configure receiving now. For more information, see Enable a receiver in the Splunk Enterprise Forwarding Data manual.
- Configure forwarding on the universal forwarder. For more information, see Configure the universal forwarder using configuration files in the Splunk Universal Forwarder Forwarder Manual.
- Configure the universal forwarder to monitor the CSV file that contains data you want to import to ITE Work where necessary. as entities. Use
monitor
stanzas in the inputs.conf file on the universal forwarder to monitor the CSV file and send data to your Splunk platform deployment. An examplemonitor
stanza looks like this:If the file ends with[monitor:///path/to/my/file.csv] disabled = 0 sourcetype = csv
.csv
, you don't have to specify the source type. For more information about configuring a universal forwarder to monitor the CSV file, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In manual. - Restart the universal forwarder:
$SPLUNK_HOME/bin/splunk restart
- Once data from the CSV file is indexed in your Splunk platform deployment that runs ITE Work , manually import entities from a Splunk search. For more information about manually importing entities from a Splunk search, see Manually import entities from a Splunk search in ITE Work .
- Set up a recurring import from the import with a Splunk search.
Set up a recurring entity import from a Splunk search
Follow these steps to create a recurring entity import from a Splunk search.
The recurring import search executes as splunk-system-user
, which returns entities from datasets that exist in indexes that the user creating the import might not have access to.
To set up a recurring import, you must have already set up an entity import from a Splunk search. For more information, see Manually import entities from a Splunk search in ITE Work .
- After the import from the search process is complete, click Set up Recurring Import.
- Provide a name for the recurring import.
- Set the scheduled time and frequency to run the import.
- Click Submit. ITE Work creates a new saved search in the savedsearches.conf file. The name of the saved search is
ITSI Import Objects - <importName>
, whereimportName
is the name of the import you specified when setting up the recurring import. The saved search triggers an alert action which runs a search command to add entities to ITE Work.
Note: Configure the scheduled time based on the Splunk server's timezone.
Modify or delete a recurring import
Modify or delete the saved search ITE Work created when you configured the recurring import from a search. Follow these steps to modify or delete a recurring import from a search.
- From Splunk Web, go to Settings > Searches, reports, and alerts.
- Find the saved search ITE Work created when you configured the recurring import. By default, the name of the saved search starts with
ITSI Import Objects
. - Click Edit and select among these options to modify the saved search:
Option Description Edit Search Change the description, search string, earliest time, or latest time for the recurring import. Edit Schedule Change the time interval to control how often the recurring import runs. Advanced Edit Change the field settings for the recurring import. For example, you can change the entity title and other parameters from here. - If you want to delete the recurring import, click Edit and select Delete for the corresponding saved search.
entity discovery searches | Overview of entity types in |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!