Splunk® IT Service Intelligence

Administration Manual

Splunk IT Service Intelligence (ITSI) version 4.12.x reached its End of Life on January 22, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

itsi_entity_type.conf

The following are the spec and example files for itsi_entity_type.conf.

itsi_entity_type.conf.spec

# This file contains possible settings you can use to upload sample
# entity types to the KV store.
#
# An entity type defines how to classify a type of data source.
# For example, you can create a Windows, Kubernetes, or VMware vCenter Server entity type.
# An entity type can include zero or more entity data drilldowns and zero or more entity data dashboards.
#
# There is an itsi_entity_type.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default. To set custom
# configurations, place an itsi_entity_type.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local.
# You must restart ITSI to enable new configurations.
#
# To learn more about configuration files (including precedence), see the
# documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles.

[<name>]

title = <string>
* Required
* Title of the entity type.

description = <string>
* Description of the entity type.

dashboard_drilldowns = <json array>
* Required. If no value empty list
* A list of dashboard drilldowns that entities of this class can use to associate with raw data.
* A single dashbobard drilldown JSON object contains the following fields
{
    "title": <string>
    * Usage:
        * Required
        * The title of the dashboard.

    "id" = <string>
    * Usage:
        * Required
        * A unique ID for the dashboard drilldown.

    "is_splunk_dashboard" = <boolean>
    * Usage:
        * Required
        * A flag to determine whether the dashboard drilldown is saved as a navigation or a splunk dashboard.

    "base_url": <string>
    * Usage:
        * An internal or external URL pointing to the dashboard.

    "params": <json>
    * Usage:
        * Contains two fields: 'alias_param_map' and 'static_params'.
        * 'alias_param_map' is a mapping of a URL parameter and its alias.
        * 'static_params' are parameters with a defined value.
        * Example:
            {
                "static_params": {
                    "start_time": "-12h",
                },
                "alias_param_map": [
                    {
                        "alias": "host",
                        "param": "node"
                    }
                ]
            }
}

data_drilldowns = <json array>
* A list of data drilldowns that entities of this class can use to populate pre-built dashboards.
* A single data drilldown JSON object contains the following fields
{
    "title": <string>
    * Usage:
        * Required
        * The title of the entity data drilldown.

    "type": <metrics|events>
    * Usage:
        * Required
        * The type of indexed data that this drilldown is associated with.
        * Must be either "metrics" or "events".

    "static_filter": <json>
    * Usage:
        * An SPL filter represented by a JSON structure following a defined schema.
        * The static filter finds a subset of indexed data that is associated with
          this entity data drilldown.
        * There are two types of filters for a static_filter:
          1. Basic filter - fields including:
            - type: One of "include" or "exclude"
            - field: The field name in raw data
            - values: A list of values for "field" to filter on
          2. Boolean filter - fields including:
            - type: One of "or" or "and"
            - filters: A list of filters in the shape of a basic filter or boolean filter

        * The following example filter is equivalent to "sourcetype=access_logs AND index=main":
        { \
            "type": "and", \
            "filters": [ \
                { \
                    "type": "include", \
                    "field": "sourcetype", \
                    "values": ["access_logs"] \
                }, \
                { \
                    "type": "include", \
                    "field": "index", \
                    "values": ["main"] \
                } \
            ] \
        }

    "entity_field_filter": <json>
    * Usage:
        * Specifies what field (info or alias) of an entity to apply
          to further filter down the indexed data.
        * There are two types of filters for an entity_field_filter:
          1. Entity field filter - fields including:
            - type: Must be "entity"
            - data_field: The field name in raw data
            - entity_field: The field of an entity whose value will be used to filter on raw data with "data_field"
          2. Boolean filter - fields including:
            - type: One of "or" or "and"
            - filters: A list of filters in the shape of a entity field filter or boolean filter

        * Example:
        { \
            "type": "or", \
            "filters": [ \
                { \
                    "type": "entity", \
                    "data_field": "src", \
                    "entity_field": "ip" \
                }, \
                { \
                    "type": "entity", \
                    "data_field": "dest", \
                    "entity_field": "ip" \
                } \
            ] \
        }
        * For an entity with "ip=1.2.3.4", this is equivalent to "src=1.2.3.4 OR dest=1.2.3.4".
        * Combined with the static filter example above, the final filter of this entity data drilldown
          is equivalent to "(sourcetype=access_logs AND index=main) AND (src=1.2.3.4 OR dest=1.2.3.4)"
}

vital_metrics = <json array>
* Optional
* A list of vital metrics that entities of this class are associated with.
{
    "metric_name": <string>
    * Usage:
        * Required
        * The name of the metric.

    "search" = <string>
    * Usage:
        * Required
        * SPL to find this metric.

    "split_by_fields": <array>
    * Usage:
        * Required
        * An array of fields used to split the results to entities.

    "matching_entity_fields": <array>
    * Usage:
        * Required
        * The fields used to look up entities from the KV store.
        * Example: split_by_fields=[id,name], matching_entity_fields=[id,host]
        * Raw event "id" field maps to "id" field of entity, and "name" field maps to "host" field

    "is_key": <boolean>
    * Usage:
        * Optional
        * If "true", this metric is used as a key metric for this entity type in the Infrastructure Overview. 
        * Default: false

    "unit": <string>
    * Usage:
        * Optional
        * The unit for the metric.
}

_immutable = <boolean>
* Required
* Whether you can edit or delete the entity data drilldown.
* If "true", you can't edit or delete the entity data drilldown.
* If "false", you can edit or delete the entity data drilldown.
* Default: false

itsi_entity_type.conf.example

No example
Last modified on 28 April, 2023
itsi_deep_dive.conf   itsi_event_management.conf

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters