Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence (ITSI) version 4.11.x reached its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
Acrobat logo Download topic as PDF

Edit a default entity type in ITSI

Every entity type in (ITSI) comes with at least one default metrics filter and one default events filter that populates the Analysis Workspace with data. You can delete a custom entity type in ITSI, but you can't delete a default entity type. For a list of default entity types in ITSI, see Default entity types and their properties.

Prerequisites

Requirement Description
ITSI roles You have to log in as a user with the itoa_admin or itoa_team_admin role.

Edit a default entity type

Perform the following steps to edit a default entity type in ITSI:

  1. From the ITSI main menu, click Configuration > Entity Management.
  2. Click Entity Types.
  3. Click Edit on the entity type you want to edit.
  4. After you make your changes, click Save.


Configure vital metric alerts

You can configure alerts that generate notable events when vital metrics cross your established thresholds. Below displays the UI for the vital metric alert configuration:

The user interface displaying options to edit entity types and configure a vital metric alert.

Perform the following steps to configure vital metric alerts for default entity types:

  1. From the ITSI main menu, click Configuration > Entity Management.
  2. Go to the Entity Types tab.
  3. Click Edit on the entity type you want to edit.
  4. Expand the Vital Metrics (optional) section and select the vital metric that you want to create an alert for. The alert is applied to all entities categorized under the entity type that you create the alert for.
  5. In the Alerting section, click Add Alert. New alerts are enabled by default.
  6. In the alert window, set the alert schedule, a time to suppress the alert after it is fired, and alert thresholds for the vital metric.
  7. Set up trigger conditions for the thresholds. The Critical threshold is required. You can adjust this threshold value, but the threshold can't be deleted.
    1. (Optional) Click Add a threshold level to create a Warning threshold.
    2. For the If metric is field, select greater than or less than to set the threshold hierarchy. If you select greater than, the Critical threshold is a maximum threshold. If you select less than, the Critical threshold is a minimum threshold.
    3. (Optional) Use the Dimension is field to filter the alert by dimensions, such as, host, OS, etc. You can select multiple dimensions and multiple values of the same dimension. Multiple filter values of the same dimension are joined by OR. Filters of different dimensions are joined by AND. Wildcards, specified with an asterisk * are supported.
  8. Click Save.
  9. After configuring a vital metric alert, a new saved search is created in the local savedsearches.conf. For example, if you create a vital metric for Average CPU Usage for the *nix entity type, you'll see a searched called [ITSI Vital Metric Alert - Average CPU Usage Alert for *nix entity type]. When you remove an alert, the saved search will be deleted.

Do more with ITSI

Last modified on 28 April, 2023
PREVIOUS
Overview of entity types in ITSI
  NEXT
Create custom entity types in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters