Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.2.x will no longer be supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Bulk delete entities in ITSI

Delete entities in bulk if you have a lot of of duplicate entities. For example, you might have duplicate entities imported from the Splunk App for Infrastructure (SAI) that you want to get rid of.

The following example shows you how to bulk delete entities from SAI.

  1. Use the curl command to spit out the entities that match the ITSI role "SAI".
    curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity?filter='\{"itsi_role":"SAI"\}'\&fields='_key'
  2. Delete the entities.
    curl -k -u admin:changeme -X DELETE https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity?filter='\{"itsi_role":"SAI"\}'\&fields='_key'

Disable recurring entity import searches

After you delete entities, you might still see them populating automatically in the UI. This is most likely because you set up recurring entity imports in the past. These recurring import searches periodically re-populate your entities even after you delete them. For more information, see Set up a recurring import of entities in ITSI.

ITSI saves recurring imports as modular inputs. On a single instance deployment, you can disable or delete these modular inputs through the UI.

  1. Click Settings > Data inputs.
  2. Click IT Service Intelligence CSV Import. All recurring imports that you've configured are listed here, in addition to the entity discovery searches that are bundled with ITSI modules.
  3. In the Status column, click Disable for each recurring import that you want to disable. It is best practice to not delete them altogether, as you might want to enable them again in the future.

Disable recurring entity import searches in a search head cluster

ITSI saves recurring entity import searches as modular inputs in a local version of inputs.conf. You cannot disable modular inputs using the UI in a search head cluster environment. You must manually disable them through inputs.conf on each search head in your environment.


  • Only users with file system access, such as system administrators, can disable modular inputs.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.


  1. On each search head, navigate to $SPLUNK_HOME/etc/apps/itsi/local/inputs.conf.
  2. In each recurring import stanza within the file, add the line Disabled = 1. For example:
    backfill_enabled = 0
    csv_location = /Users/username/Documents/Entities.csv
    entity_identifier_fields = itsi_role
    entity_informational_fields = IP,host
    entity_title_field = vendor
    import_from_search = false
    interval = 0 8 * * *
    service_description_column = service_desc
    service_enabled = 1
    service_security_group = default_itsi_security_group
    service_title_field = ITService
    template = {}
    update_type = upsert
    Disabled = 1
  3. Save and close the file.
Last modified on 10 March, 2020
Conflict resolution examples in ITSI
Manage pseudo entities in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters