Splunk® IT Service Intelligence

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

Removed features in Splunk IT Service Intelligence

This page lists computing platforms, browsers, and features for which IT Service Intelligence (ITSI) has deprecated or removed support.

Entity Alias Filtering field

The Entity Alias Filtering field used in KPI searches was removed in IT Service Intelligence version 4.2.x to improve how entity matching is performed.

Previously, the Entity Filter Field and the optional Entity Alias Filtering field were used in combination to determine which entity alias values to use for filtering. With the removal of entity alias filtering, only the Entity Filter Field determines the entity aliases to use for filtering. See Entity filtering in the Administer Splunk IT Service Intelligence manual for more information about entity filtering.

With the removal of entity alias filtering, ITSI now strictly matches entities against KPI search results using both the alias key and value, whereas before it only used the alias value. The strict entity alias matching also occurs when generating notable events through correlation searches. The entity lookup field must be an actual entity alias field for the match to occur. For example, if the entity was created with an alias of hostname but the entity lookup field in the correlation search as a value of myhost, the match will not work. The entity lookup field must be hostname as well.

This strict association change and the removal of entity alias filtering can cause the following problems in your ITSI environment:

  1. A KPI search might exist where the Entity Split Field or Entity Filter Field doesn't match a field in the entity. In this case, the entity will not be included in the KPI's results.
  2. An entity's alias values for the Entity Filter Field might be missing values from the previous Entity Alias Filtering field. In this case, the entity might not be included in the KPI's results.

Before you upgrade

Before you upgrade to version 4.2.x, run the following script on the search head to identify the affected entities and the KPIs associated with them.

  1. Download and unzip the following script: Check_kpi_entity_configs.zip
  2. Run the following command: $SPLUNK_HOME/bin/splunk cmd python check_kpi_entity_configs.py
  3. Provide the splunkd host and port number of the search head.
  4. Provide your username and password.

The script outputs a list of entities that are missing alias fields or values, as well as the KPI and service associated with each entity. These entities could potentially break after you upgrade. Use this information to make an informed decision on how to proceed with the upgrade. Note that although ITSI identifies these entities for you, the process of fixing them after you upgrade is manual and can be extensive if you have a lot of entities.

Identify broken entities

After you upgrade to version 4.2.x, ITSI checks all of your entities to determine any that might have broken as a result of the change. A warning message about the offending entities appears in the This image shows the Messages menu on the Splunk bar. In front of the Messages menu, is a blue circle with the number two ( 2 ) inside the box. menu in Splunk Web. All affected entities are listed in the migration log along with the KPIs associated with them.

Search the IT Service Intelligence migration log to locate any affected entities in your environment. Run the following Splunk search to produce a chart of offending entities:

index=_internal source=*itsi* EntityMisconfig | eval alias_field=coalesce(entity_filter_field, entity_split_field) | table entity_title entity_id alias_field missing_alias_values kpi_id kpi_title service_id service_title _raw

If you have a large number of warnings to review, you can run this search to group the results:

index=_internal EntityMisconfig source=itsi | stats count dc(kpi_id) AS nb_kpi_impacted values(kpi_title) AS kpi_impacted_list dc(entity_id) AS nb_entities_impacted last(_raw) AS "last warning" by service_id service_title

If an entity appears in the output chart, it means it might have broken as a result of the strict association change.

  • If there are NO missing_alias_values listed for an entity, add the listed alias_field to the entity in order to fix any potential problems.
  • If there are missing_alias_values listed, add those values to the alias_field listed in order to fix any potential problems.

The search only reflects the initial migration check and will not update after you make subsequent changes to the entities.

Entity Log.png

Fix a missing alias field

Perform these steps if there is a value in the alias_field column and NO VALUES in the missing_alias_values column.

  1. Click Configure > Entities and navigate to the offending entity.
  2. Assess whether the alias field is required in the entity.
  3. If necessary, add the alias_field from the log as an alias. For example, if the log lists host as the alias_field, you might add the alias host=appserver-01.

Fix missing alias values

Perform these steps if there are values listed in the missing_alias_values column.

  1. Click Configure > Entities and navigate to the offending entity.
  2. Evaluate whether filtering needs to be done on any of the fields listed in the missing_alias_values column.
  3. If necessary, add the missing_alias_values listed in the chart to the alias_field specified in the chart. Separate alias values by commas.

For example, if the alias_field is name and its current alias is 08675309:web-01, you might add the missing alias value appserver01 as an additional alias value to filter on.

Last modified on 03 September, 2020
PREVIOUS
Known issues in Splunk IT Service Intelligence
  NEXT
Credits

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters