Add entity rules to a service in ITSI
Entity rules let you dynamically filter KPI searches based on entity alias matches. You can use entity rules to associate entities with KPIs at the service level, which makes it unnecessary to specify entity identifying fields for each KPI search.
When to add entity rules
Entity rules are optional and you can add them at any time. Add entity rules if you want to be able to filter a KPI by the entities in the service. There are many scenarios where entity rules can make it easier to configure your services, including the following:
- You want to match entity ID data not recognized inside Splunk Enterprise (such as mapping a naming scheme to specific devices). For example, your organization might use a server naming convention such as server-01, server-02, and so on. These names do not appear as fields inside Splunk searches. Adding rules that match your entity aliases to your server naming scheme lets you apply KPI searches to those servers.
- You want to disambiguate between multiple fields that identify the same machine (such as a host with multiple IP addresses).
How to set up entity rules
You can set up entity rules to match entities based on entity aliases, info, or entity title. You can also create rules based on multiple AND/OR conditions.
For example, if you want to add entity rules that identify your database servers, and those servers have aliases of
host=mysql-03 and so on, you can add an entity rule such as "
mysql*" to identify the servers on which to run the KPI search.
This entity rule matches the host field in Splunk data with your mysql* servers and adds each server to all KPI searches in the service.
Entity rule values can be left blank. For example you could specify "
web_server does not match" and leave the value field empty to include all values for the web_server field.
Filter entities out of a service
Use the "does not match" entity rule to filter entities out of a service rather than in. For example, if you want to filter out your database servers, you could add a rule such as "
host does not match
mysql*" so the KPI search does not run on those servers.
It is important to note that the "does not match" entity rule always acts as if it has a wildcard (*) at the end of the string you specify, filtering out all possibilities that start with the value rather than just that value.
For example, you have two entities, one with info field
location = Z and another with
location = ZZZ. If you create an entity rule:
location does not match
Z, no entities will match the service.
Z acts as if it has a wildcard at the end of it, filtering out any info fields that begin with the letter "Z".
This is the default behavior. To work around this behavior, create an OR condition in the entity rules such that the logic works. For example,
location does not match
A, B, C, ..., Z
Overview of configuring services in ITSI
Add service dependencies in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5