Splunk® IT Service Intelligence

Service Insights Manual

Splunk IT Service Intelligence (ITSI) version 4.12.x reached its End of Life on January 22, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

Import services from a search in ITSI

You can import multiple services from IT Service Intelligence (ITSI) module searches, saved searches, and ad hoc searches. The workflow is identical to importing from a CSV, except you specify a search string instead of uploading a CSV file.

Use the bulk import functionality to perform the following tasks:

  • Create multiple services
  • Add service dependencies
  • Link services to service templates
  • Associate entities to services

Don't import more than 1,000 services with links to service templates. If you need to import more than 1,000 services and link them to service templates, do the imports in smaller batches. Only import 200-300 services with links to service templates at a time.

ITSI uses the itsiimportobjects command to import services from a Splunk search. All events that Splunk indexes from a service import are stored in the itsi_import_objects index. Each event has the itsi_import_objects:csv sourcetype.

The following example shows you how to import services and entities and associate the entities with the services. For an example of importing services through a CSV file and linking them to service templates, see the Import services from a CSV in ITSI.

Prerequisites

The search you write to bulk import services, dependencies, and entity rules depends on your specific use case. Perform the following prerequisite steps depending on your end goal:

Importing services

Write a search that contains the services you want to import. Optionally, provide service descriptions and service dependencies. Note that the services created through this method are not populated with KPIs or entities.

Importing services and linking them to service templates

When you link a service to a service template, the service receives the KPIs and entity rules from the template. If a service already exists, ITSI replaces any entity rules in the service with the entity rules in the service template. For more information about service templates, see Overview of service templates in ITSI.

  1. Review the entity rules for the service templates and determine which entity rules have configurable values. You must provide those values for each service in the search. For information about entity rules, see Add entity rules to a service in ITSI.
  2. Write a search that contains the services to import and the corresponding template to link them to.

Importing services with associated entities

Before importing, write a search that contains the services and entities to import. ITSI creates an entity rule for the service with Entity Title matches <value from Entity Title column> for each entity. See Import services from a CSV in ITSI for an example.

Importing services, linking them to service templates, and importing entities

Include columns to use as values for any configurable entity rules in the templates. To import entities, use either a separate column or the same column that is used for configurable entity rules. In the latter case, entities are created for the column you import as Entity Title. However, instead of adding entity rules in the format Entity Title matches <value from Entity Title column> to the service, ITSI adds the entity rules from the linked template to the service. Any configurable entity rules use the column(s) you specify as the value for the configurable entity rules.

Steps

In the following example, we create two services called Splunk Search Head Service and Splunk Indexer Service using the service_title column, and create three entities for the hosts listed in the host column and add these entities to the services.

  1. Click Configuration > Services from the ITSI top menu bar.
  2. Click Create Service > Import from search.
  3. Select one of the following search types:
    Search Type Description
    Modules Choose from a list of pre-defined entity discovery searches based on ITSI modules.
    Saved Search Choose from a list of pre-defined ITSI saved searches.
    Ad hoc Search Enter a custom search string.
  4. Enter an ad hoc search string or select a predefined module search or saved search. Make sure the results are presented in a table. For this example we are using an ad hoc search.
  5. Click the Search icon to see a preview of results. EntityImportSearch.png
  6. Click Next to see a table populated by your search results. Use this page to specify how to classify and store the file column entries that define your entities.
  7. In this example, we're importing the columns in our search results as follows. ImportSpecifyColumns.png
  8. In the Settings section, configure the following items:
    Field Description
    Service Team The team that the service belongs to. Entities are always created in the Global team.
    Import Services As Whether services are enabled or disabled upon upgrade.
    Conflict Resolution Determines how ITSI updates and stores your entity data:
    • Skip Over Existing Entities: Adds new entity data to the datastore only if the entity does not already exist. If an entity exists, the information is not updated.
    • Update Existing Entities: Merges the imported data and the existing data associated with the entity.
    • Replace Existing Entities: Replaces existing entity data with new entity data.
    Conflict Resolution Field The field used to identify entities. Entities that have the same field value are considered the same entity. If Conflict Resolution is set to Update Existing Entities or Replace Existing Entities, ITSI resolves duplicate entities based on this field.

    For more information, see Resolve conflicts during ITSI entity imports.

  9. In the Preview section, click Services to be imported to confirm that your service import configuration is correct.
    BulkImportPreview.png
  10. Click Import.
    A message confirms that the import is complete.
  11. Click View All Services or View all Entities to confirm that your imported services and entities now appear on the respective Service or Entity page.
  12. (Optional) Click Set up Recurring Import to create a saved search that runs and triggers the itsi_import_objects alert action for search results. The alert action uses the itsiimportobjects command to import entities on a recurring basis.

Create a saved search in ITSI

Create a saved search, also called a scheduled report, in IT Service Intelligence (ITSI) to use when importing entities and services.

  1. From the top navigation menu, click Settings > Searches, Reports, and Alerts.
  2. Click New Report. When you define a report in Settings, you set it up as a saved search. It appears as a report on the lister page when you're done.
  3. Provide a title in the format "IT Service Intelligence - <custom text>". For example, IT Service Intelligence - get my entities. This format is required for the saved search to show up when importing entities and services from a saved search in ITSI.
  4. Provide a search string under Search.
  5. (Optional) Provide the search Earliest time and Latest time using relative time modifiers. If you want the search to run over all time, leave these fields blank.
  6. For App, select IT Service Intelligence (itsi).
  7. Click Save.
  8. After the search saves, locate the search on the lister page and click Edit > Edit Permissions.
  9. For Display For, select All apps.
  10. Click Save.
  11. Restart Splunk software to add the search to savedsearches.conf.

The search appears in the list of ITSI saved searches when you import services and entities.

Last modified on 29 April, 2024
Import services from a CSV in ITSI   Add service dependencies in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters