Splunk® IT Service Intelligence

Modules

Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

Install and configure ITSI modules

The following ITSI modules are installed as part of the Splunk IT Service Intelligence package:

The following ITSI modules are available for individual download:

All modules, whether included or downloaded and installed separately, do not require configuration. However, they do require relevant data to be indexed before you can create services based on the KPIs included in the modules.

See the documentation for each module that you want to use for links to the supported add-ons that are relevant for the environment you are monitoring with your ITSI deployment.

ITSI module entity discovery

ITSI module entity discovery works as follows:

  1. The ITSI admin provides data to ITSI by installing and configuring relevant Splunk add-ons.
  2. The entities send data to the indexers.
  3. The ITSI admin defines a new service, selecting an ITSI module to assist with service creation.
  4. The module automatically discovers entities for which relevant data has been collected.

The module uses a report (saved search) to discover entities. This search runs every four hours by default. You can manually run the search by doing one of the following actions:

  • Restart the Splunk platform.
  • Disable and enable the search.
  • Create entities manually.

Change the automatic entity discovery search

You can change the automatic entity search for a module.

  1. From the system bar in Splunk IT Service Intelligence, navigate to Configure > Entities.
  2. Select Create New Entity > Import from Search.
  3. On the Entity/Service Import page, select Modules.
  4. Select the module, entity search, and search time you want.
  5. Click Next
  6. Specify your columns, then click Save & Next.
  7. Preview your service dependencies, then click Save & Next.

The configuration has been saved. You do not need to save it again as a modular input. You can trigger the module entity import search outside of the standard 4-hour interval.

Disable the automatic entity discovery search

You can disable entity discovery searches you are not using if you like. It is also OK to keep them enabled.

In a single search head environment:

To disable a module automatic entity discovery search, navigate to Settings > Data inputs and select IT Service Intelligence CSV Import. You will see the module entity discovery searches listed here. Scroll to the far right end of the table and disable the search in the Status column.

In a search head cluster environment:

You must disable the entity discovery search in the inputs.conf file on the deployer and push the changes from the deployer to the cluster members.

Manually create entities

You can import entity information into ITSI.

  1. From the ITSI app menu bar, select Configure > Entities.
  2. Select Create New Entity > Import from Search.
  3. Click Modules. Two buttons appear and the search text field populates with the required search to locate entities.
  4. Confirm that the add-on button below the Modules button says ITSI Module for <Module> and that the search button below the add-on button says <Module> Entities search.
  5. (Optional) Set the time range that the search should run within by clicking the time range picker and choosing the range.
  6. Click the magnifying glass next to the time range picker to run the search. The Splunk platform searches indexed data and returns entity results for which data has been collected.
  7. Click Next.
  8. Navigate to the Specify Columns page.
  9. Review the information on the Specify Columns page. If you do not see the entity you want, then no data for that entity has been indexed into ITSI.
  10. Confirm that you installed and configured the correct add-on into a universal forwarder on that entity. Click Save & Next.
  11. Review the proposed changes to service dependencies, then click Save & Next. The Entity/Service Import success page shows you the number of entities you imported.
  12. Click Exit. ITSI returns you to the page you were on before you went to the Entity/Service Import page.


ITSI module roles

Versions 2.3.0 and above of ITSI use itsi_role in place of role, which was used in ITSI versions 2.2.2 and below. See the table to identify the roles that each module assigns to entities.

ITSI Module ITSI Role
ITSI Application Server Module application_server
ITSI Database Module database_instance
ITSI End User Experience Monitoring Module end_user_application
ITSI Load Balancer Module loadbalancer
ITSI Operating System Module operating_system_host
ITSI Storage Module storagesystem
ITSI Virtualization Module virtualization
ITSI Web Server Module web_server
PREVIOUS
About ITSI modules
  NEXT
ITSI module visualizations

This documentation applies to the following versions of Splunk® IT Service Intelligence: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4


Comments

Thank you for the comment, Esky73. I have changed the ""Disable and change the automatic entity discovery search"" section to "Change the automatic entity discovery search" and added a new section for "Disable the automatic entity discovery search."

Hjauch splunk, Splunker
April 24, 2018

The "Disable and change the automatic entity discovery search" section does not actually inform you how to disable a module. Is the only way by going into the saved searches and turning them off ? For example the DA-ITSI-VIRTUALIZATION module if not being used is it best practice to disable ? I can see there are 66 searches enabled but no way to bulk disable. It seems like only the Inventory_Lookup_Searches are scheduled to run. OR is there another way ?

Esky73
April 18, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters