Splunk® IT Essentials Work

Entity Integrations Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Edit a default entity type in ITE Work

Every entity type in (ITE Work) comes with at least one default metrics filter and one default events filter that populates the Analysis Workspace with data. You can delete a custom entity type in ITE Work, but you can't delete a default entity type. For a list of default entity types in ITE Work, see Default entity types and their properties.

Prerequisites

Requirement Description
ITE Work roles You have to log in as a user with the itoa_admin or itoa_team_admin role.

Edit a default entity type

Perform the following steps to edit a default entity type in ITE Work:

  1. From the ITE Work main menu, click Configuration > Entity Management.
  2. Click Entity Types.
  3. Click Edit on the entity type you want to edit.
  4. After you make your changes, click Save.


Configure vital metric alerts

You can configure alerts that generate notable events when vital metrics cross your established thresholds. Below displays the UI for the vital metric alert configuration:

The user interface displaying options to edit entity types and configure a vital metric alert.

Perform the following steps to configure vital metric alerts for default entity types:

  1. From the ITE Work main menu, click Configuration > Entity Management.
  2. Go to the Entity Types tab.
  3. Click Edit on the entity type you want to edit.
  4. Expand the Vital Metrics (optional) section and select the vital metric that you want to create an alert for. The alert is applied to all entities categorized under the entity type that you create the alert for.
  5. In the Alerting section, click Add Alert. New alerts are enabled by default.
  6. In the alert window, set the alert schedule, a time to suppress the alert after it is fired, and alert thresholds for the vital metric.
  7. Set up trigger conditions for the thresholds. The Critical threshold is required. You can adjust this threshold value, but the threshold can't be deleted.
    1. (Optional) Click Add a threshold level to create a Warning threshold.
    2. For the If metric is field, select greater than or less than to set the threshold hierarchy. If you select greater than, the Critical threshold is a maximum threshold. If you select less than, the Critical threshold is a minimum threshold.
    3. (Optional) Use the Dimension is field to filter the alert by dimensions, such as, host, OS, etc. You can select multiple dimensions and multiple values of the same dimension. Multiple filter values of the same dimension are joined by OR. Filters of different dimensions are joined by AND. Wildcards, specified with an asterisk * are supported.
  8. Click Save.
  9. After configuring a vital metric alert, a new saved search is created in the local savedsearches.conf. For example, if you create a vital metric for Average CPU Usage for the *nix entity type, you'll see a searched called [ITSI Vital Metric Alert - Average CPU Usage Alert for *nix entity type]. When you remove an alert, the saved search will be deleted.

Do more with ITSI

Last modified on 28 April, 2023
Overview of entity types in ITE Work   Create custom entity types in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters