itsi_entity_type.conf
The following are the spec and example files for itsi_entity_type.conf
.
itsi_entity_type.conf.spec
# This file contains possible settings you can use to upload sample # entity types to the KV store. # # An entity type defines how to classify a type of data source. # For example, you can create a Windows, Kubernetes, or VMware vCenter Server entity type. # An entity type can include zero or more entity data drilldowns and zero or more entity data dashboards. # # There is an itsi_entity_type.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default. To set custom # configurations, place an itsi_entity_type.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local. # You must restart ITSI to enable new configurations. # # To learn more about configuration files (including precedence), see the # documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles.
[<name>]
title = <string> * Required * Title of the entity type. description = <string> * Description of the entity type. dashboard_drilldowns = <json array> * Required. If no value empty list * A list of dashboard drilldowns that entities of this class can use to associate with raw data. * A single dashbobard drilldown JSON object contains the following fields { "title": <string> * Usage: * Required * The title of the dashboard. "id" = <string> * Usage: * Required * A unique ID for the dashboard drilldown. "is_splunk_dashboard" = <boolean> * Usage: * Required * A flag to determine whether the dashboard drilldown is saved as a navigation or a splunk dashboard. "base_url": <string> * Usage: * An internal or external URL pointing to the dashboard. "params": <json> * Usage: * Contains two fields: 'alias_param_map' and 'static_params'. * 'alias_param_map' is a mapping of a URL parameter and its alias. * 'static_params' are parameters with a defined value. * Example: { "static_params": { "start_time": "-12h", }, "alias_param_map": [ { "alias": "host", "param": "node" } ] } } data_drilldowns = <json array> * A list of data drilldowns that entities of this class can use to populate pre-built dashboards. * A single data drilldown JSON object contains the following fields { "title": <string> * Usage: * Required * The title of the entity data drilldown. "type": <metrics|events> * Usage: * Required * The type of indexed data that this drilldown is associated with. * Must be either "metrics" or "events". "static_filter": <json> * Usage: * An SPL filter represented by a JSON structure following a defined schema. * The static filter finds a subset of indexed data that is associated with this entity data drilldown. * There are two types of filters for a static_filter: 1. Basic filter - fields including: - type: One of "include" or "exclude" - field: The field name in raw data - values: A list of values for "field" to filter on 2. Boolean filter - fields including: - type: One of "or" or "and" - filters: A list of filters in the shape of a basic filter or boolean filter * The following example filter is equivalent to "sourcetype=access_logs AND index=main": { \ "type": "and", \ "filters": [ \ { \ "type": "include", \ "field": "sourcetype", \ "values": ["access_logs"] \ }, \ { \ "type": "include", \ "field": "index", \ "values": ["main"] \ } \ ] \ } "entity_field_filter": <json> * Usage: * Specifies what field (info or alias) of an entity to apply to further filter down the indexed data. * There are two types of filters for an entity_field_filter: 1. Entity field filter - fields including: - type: Must be "entity" - data_field: The field name in raw data - entity_field: The field of an entity whose value will be used to filter on raw data with "data_field" 2. Boolean filter - fields including: - type: One of "or" or "and" - filters: A list of filters in the shape of a entity field filter or boolean filter * Example: { \ "type": "or", \ "filters": [ \ { \ "type": "entity", \ "data_field": "src", \ "entity_field": "ip" \ }, \ { \ "type": "entity", \ "data_field": "dest", \ "entity_field": "ip" \ } \ ] \ } * For an entity with "ip=1.2.3.4", this is equivalent to "src=1.2.3.4 OR dest=1.2.3.4". * Combined with the static filter example above, the final filter of this entity data drilldown is equivalent to "(sourcetype=access_logs AND index=main) AND (src=1.2.3.4 OR dest=1.2.3.4)" } vital_metrics = <json array> * Optional * A list of vital metrics that entities of this class are associated with. { "metric_name": <string> * Usage: * Required * The name of the metric. "search" = <string> * Usage: * Required * SPL to find this metric. "split_by_fields": <array> * Usage: * Required * An array of fields used to split the results to entities. "matching_entity_fields": <array> * Usage: * Required * The fields used to look up entities from the KV store. * Example: split_by_fields=[id,name], matching_entity_fields=[id,host] * Raw event "id" field maps to "id" field of entity, and "name" field maps to "host" field "is_key": <boolean> * Usage: * Optional * If "true", this metric is used as a key metric for this entity type in the Infrastructure Overview. * Default: false "unit": <string> * Usage: * Optional * The unit for the metric. } _immutable = <boolean> * Required * Whether you can edit or delete the entity data drilldown. * If "true", you can't edit or delete the entity data drilldown. * If "false", you can edit or delete the entity data drilldown. * Default: false
itsi_entity_type.conf.example
No example
itsi_deep_dive.conf | itsi_event_management.conf |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.18.0, 4.18.1, 4.19.0, 4.19.1, 4.19.2
Feedback submitted, thanks!