Splunk® IT Service Intelligence

Entity Integrations Manual

Update an entity discovery search in ITSI

Entity discovery searches find and track your infrastructure's entity data, helping you to monitor entity health. When a search stops finding data for an entity, it may be an issue with the discovery search configuration. Update discovery searches to troubleshoot and resolve an unstable or inactive entity status in a single workflow. When you update an entity discovery search in ITSI, it updates all the entities associated with the search. For more information about ITSI entity discovery searches, see Overview of ITSI entity discovery searches.

Steps

  1. From the ITSI main menu, select Configuration, then Entity Management.
  2. Select the Entity Discovery Searches tab, and select a discovery search to update.

    You can also get to this page by selecting the Configure Search button from the Entity Discovery Searches tab on the entity details page.

  3. Update the following settings for the search on the search detail page:
    Option Description
    Enable Search Turns the search on or off. An entity may appear to be inactive because the discovery search associated with the entity needs to be turned on. Updating this setting updates all entities associated with the search. To see a list of all entities associated with a search, view the Explore entities section on the page. To avoid performance issues caused by excessive search executions, you can turn off entity discovery searches for entities that you're not using to collecting data.
    Enable status tracking Turns entity status tracking on or off. Turns this setting off to exclude the search from contributing to the entity status calculation for any associated entities. This setting will affect all associated entities that the search is currently finding data for.
    Edit Search Opens the Searches, Reports, and Alerts page to update the SPL query directly, as well as the search permissions, cron schedule, summary indexing, and other settings. For example, you can use this page to update the search cron schedule so that it matches the rate at which an entity is sending data, and the search can contribute to an accurate entity status calculation.
    Run Search Opens a new page summarizing search events, discovered entities, and other information related to the search. Run a search to view its relationships with entities in your environment and troubleshoot potential issues causing an unstable entity status.
  4. On the Explore entities section, view all of the entities associated with the discovery search, when data was last discovered for each entity, and the most recent time that the entity was active. You can filter for specific criteria using the dropdown. For example, you can filter the list to display only entities with an unstable status.
  5. After completing changes, select Save. The changes are applied to all entities currently using the search.
Last modified on 13 October, 2023
Overview of ITSI entity discovery searches   Set up a recurring import of entities in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters