Import entities from a search in ITE Work
Create entities from (ITE Work) module searches, saved searches, or ad hoc searches using indexed data coming in your Splunk platform deployment. ITE Work uses the itsiimportobjects
command to import entities from searches.
You can import a maximum of 50,000 entities at a time. If you attempt to import more than 50,000 entities, only the first 50,000 are imported.
Prerequisites
Requirement | Description |
---|---|
ITE Work role | You have to log in as a user with the itoa_admin or a user with the itoa_team_admin role that has write access to the global team. |
Indexed data | You have to have indexed data that you want to associate with entities. |
Steps
Follow these steps to import entities from a search in ITE Work.
- From the ITE Work main menu, go to Configuration > Entity Management.
- Select Create Entity > Import from Search.
- Select one of the following search types:
Search Type Description Modules (Only available in ITSI)
Choose from a list of pre-defined entity discovery searches based on ITSI modules. For more information about using modules to create entities, see ITSI module entity discovery in the ITSI Modules manual. Saved Searches Choose from a list of pre-defined saved searches. Ad hoc Search Enter a custom search string. - Enter an ad hoc search string, or select a predefined module search or saved search. Make sure the results are presented in a table. In this example, the entities are imported using an ad hoc search.
- Click the Search icon to view a preview of the search results.
- Click Next.
- Under Import Column As, select the appropriate column type for each column.
Column type Description Entity Title Makes the column entry the entity title. The column is also added as an Entity Alias using <column name> = <value>
.Entity Description Makes the column entry a description of the entity. Entity Alias Makes the column entry a searchable entity identifier. Event Data Search uses aliases to populate recent log events for an entity in the entity health page.
When creating an entity alias, make sure the key-value pair is unique. ITE Work relies on alias key-value pairs to identify entities in visualizations. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.
Entity Information field Makes the column entry a tag that provides user-facing validation. Information fields are like common fields and can have the same values across entities. For example, an info field like datacenter=vault13
can be common to all the entities of the same data center.Entity Type Associates the entity with an existing entity type that matches the column entry. If the entity type doesn't already exist, you have to create it first. ITE Work ignores entity type column entries that don't already exist. Service Title (Only applies to ITSI)
Makes the column entry the name of the service to associate the entity with. The service is created if it doesn't already exist. Service Description (Only applies to ITSI)
Makes the column entry the description of the service. Do Not Import Removes the column entry from the imported data. - Configure the following options in the Settings section:
Option Description Service Team (Only displays in ITSI if you are importing services.)
The team to create the services in. Import Services As (Only displays in ITSI if you are importing services.)
Whether services are enabled or disabled upon import. Conflict Resolution Determines how ITE Work updates and stores your entity data: - Skip Over Existing Entities: Adds new entity data to the datastore only if the entity does not already exist. If an entity already exists, the entity is not updated.
- Update Existing Entities: Merges the imported data and the existing data associated with the entity. Uses the Conflict Resolution field to identify the entity.
- Replace Existing Entities: Replaces existing entity data with new entity data. Uses the Conflict Resolution field to identify the entity.
Conflict Resolution Field The field used to merge on. Entities that have the same field value are considered to be the same entity. For example, if there is an entity defined with the same IP then merge into that entity. If Conflict Resolution is set to Update Existing Entities
orReplace Existing Entities
, ITE Work resolves duplicate entities based on this field. - In the Preview section, click Entities to be imported to confirm that your entity import configuration is correct.
The preview shows the entity information you're importing. It doesn't show the final merged entity values.
- Click Import.
A message appears confirming that the import is complete. - Click the View all Entities link to confirm your imported entities appear in the Entity viewer page.
- (Optional) Click Set up Recurring Import to create a saved search that triggers the
itsi_import_objects
alert action for search results. The alert action uses theitsiimportobjects
command to import entities. For more information, see Set up recurring import of entities in ITE Work.
Create a single entity in ITE Work | Import entities from a CSV file in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!