Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Add entity rules to a service in ITSI

Entity rules let you dynamically filter KPI searches based on entity alias matches. You can use entity rules to associate entities with KPIs at the service level, which makes it unnecessary to specify entity identifying fields for each KPI search.

When to add entity rules

Entity rules are optional and you can add them at any time. Add entity rules if you want to be able to filter a KPI by the entities in the service. There are many scenarios where entity rules can make it easier to configure your services, including the following:

  • You want to match entity ID data not recognized inside Splunk Enterprise (such as mapping a naming scheme to specific devices). For example, your organization might use a server naming convention such as server-01, server-02, and so on. These names do not appear as fields inside Splunk searches. Adding rules that match your entity aliases to your server naming scheme lets you apply KPI searches to those servers.
  • You want to disambiguate between multiple fields that identify the same machine (such as a host with multiple IP addresses).

How to set up entity rules

You can set up entity rules to match entities based on entity aliases, info, or entity title. You can also create rules based on multiple AND/OR conditions.

For example, if you want to add entity rules that identify your database servers, and those servers have aliases of host=mysql-01, host=mysql-02, host=mysql-03 and so on, you can add an entity rule such as "host matches mysql*" to identify the servers on which to run the KPI search.


This entity rule matches the host field in Splunk data with your mysql* servers and adds each server to all KPI searches in the service.

Entity rule values can be left blank. For example you could specify "web_server does not match" and leave the value field empty to include all values for the web_server field.

Filter entities out of a service

Use the "does not match" entity rule to filter entities out of a service rather than in. For example, if you want to filter out your database servers, you could add a rule such as "host does not match mysql*" so the KPI search does not run on those servers.

It is important to note that the "does not match" entity rule always acts as if it has a wildcard (*) at the end of the string you specify, filtering out all possibilities that start with the value rather than just that value.

For example, you have two entities, one with info field location = Z and another with location = ZZZ. If you create an entity rule: location does not match Z, no entities will match the service. Z acts as if it has a wildcard at the end of it, filtering out any info fields that begin with the letter "Z".

This is the default behavior. To work around this behavior, create an OR condition in the entity rules such that the logic works. For example,

Rule 1: location does not match A, B, C, ..., Z


Rule 2: location matches ZZZ

Last modified on 03 March, 2020
Overview of configuring services in ITSI
Add service dependencies in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters