Splunk® IT Service Intelligence

Entity Integrations Manual

Overview of ITSI entity discovery searches

(ITSI) includes saved searches that are turned on by default to discover your infrastructure's entity data.

You can find the complete list of saved searches in the Entity Discovery Searches tab on the Entity Management page, or under the [ITSI Import Objects] stanza in $SPLUNK_HOME/etc/apps/itsi/default/savedsearches.conf.

Prerequisites

You can use entity discover saved searches after having met the following prerequisites:

Update search macros

Include the index that you are sending data to as part of the itsi_im_metrics_indexes macro to use the entity discovery saved searches shipped with ITSI.

If you are using a custom saved search in ITSI, update the macro to include the index that you are sending data to. You can do this by updating your HEC token configuration to point to the correct ITSI indexes. For more information about updating your HEC tokens, see Configure the HTTP Event Collector to collect entity integration data in ITSI.

Indexed data

You have to have already indexed data you want to associate with entities.

Entity Discovery Searches reference

The following table is a list of entity discovery searches available in ITSI, and the common data sources discovered by each search:

Saved search Data sources Entity type Data integration method
ITSI Import Objects - AWS Cloudwatch EBS
  • AWS Cloudwatch EBS metrics
 N/A Splunk Add-on for AWS
ITSI Import Objects - AWS Cloudwatch EC2
  • AWS Cloudwatch EC2 metrics
 N/A Splunk Add-on for AWS
ITSI Import Objects - AWS Cloudwatch ELB
  • AWS Cloudwatch ELB metrics
 N/A Splunk Add-on for AWS
ITSI Import Objects - Kubernetes Node
  • Kubernetes Node metrics
  • Kubernetes Node metadata
 Kubernetes Node Splunk Connect for Kubernetes
ITSI Import Objects - Kubernetes Pod
  • Kubernetes Pod metrics
  • Kubernetes Pod metadata
 Kubernetes Pod Splunk Connect for Kubernetes
ITSI Import Objects - OS
  • System metrics
 *nix Unix and Linux Integration - Collectd
ITSI Import Objects - Perfmon
  • System metrics
 Windows Perfmon on Splunk Universal Forwarder
ITSI Import Objects - TA *Nix
  • System metrics
 Unix/Linux Add-on Unix and Linux Integration - Splunk Add-on for Unix and Linux
ITSI Import Objects - VMWare Cluster
  • VMware Cluster metrics
 VMware Cluster VMware
ITSI Import Objects - VMware Datastore
  • VMware Datastore metrics
  • VMware VM/ESXI Datastore metrics
 VMware Datastore VMware
ITSI Import Objects - VMware Host
  • VMware ESXi metrics
  • VMware ESXi Host
  • VMware
 VMware ESXi Host VMware
ITSI Import Objects - VMware VM
  • VMware VM metrics
 VMware VM VMware
ITSI Import Objects - VMware vCenter
  • VMware vCenter metrics
 VMware vCenter VMware

Entity type to macro mapping

For ITSI and ITE Work to perform as designed, you need to modify macros for entity search from any custom metrics indexes. Use the following table as a reference for the involved entity types and macros.

Entity type Vital metrics macro name
*nix itsi_entity_type_nix_metrics_indexes
Kubernetes Node itsi_entity_type_k8s_node_metrics_indexes
Kubernetes Pod itsi_entity_type_k8s_pod_metrics_indexes
Unix/Linux Add-on itsi_entity_type_ta_nix_metrics_indexes
VMware Cluster itsi_entity_type_vmware_cluster_metrics_indexes
VMware Datastore itsi_entity_type_vmware_datastore_metrics_indexes
VMware ESXi Host itsi_entity_type_vmware_esxihost_metrics_indexes
VMware vCenter itsi_entity_type_vmware_vcenter_metrics_indexes
VMware VM itsi_entity_type_vmware_vm_metrics_indexes
Windows itsi_entity_type_windows_metrics_indexes

Update an entity discovery search

You can turn a search on or off, update the query and search schedule settings, and more for each entity discovery search.

To update the searches, follow these steps:

  1. Navigate to Entity Management then Entity Discovery Searches.
  2. Select the search you want to update.
  3. Update the search using the different settings on the search details page. For more information, see Update an entity discovery search in ITSI.

After the searches run, your entities display on the Entity Overview page, where you can track the entity's status and investigate vital metrics. For more information, see About the Entity Overview in ITSI.

Last modified on 23 January, 2024
Import entities from a CSV file in ITSI   Update an entity discovery search in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.18.0, 4.18.1, 4.19.0, 4.19.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters