Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

Import entities from a Splunk search in ITSI

ITSI lets you import multiple entities from ITSI module searches, saved searches, or ad hoc searches using any data coming into the Splunk platform. The Import from Search workflow is identical to the Import from CSV workflow, except that you specify a search string instead of uploading a CSV file.

For CMDB integration, you can set up the Splunk platform to directly query the database where the CMDB data is stored so that you can use a Splunk search to import the CMDB data into ITSI as entities. You can automate the import from search for ongoing updates.

  1. Click Create Entity > Import from Search.

    If your role does not have write access to the Global team, you will not see the Create Entity option.

  2. Select one of the following search types:
    Search Type Description
    Module Choose from a list of pre-defined entity discovery searches based on ITSI modules.
    Saved Searches Choose from a list of pre-defined ITSI saved searches.
    Ad hoc Search Enter a custom search string.
  3. Enter an ad hoc search string or select a pre-defined module search or saved search. Make sure the results are presented in a table.
    In this example we want to import entities using an ad hoc search.
  4. Click the Search icon to view a preview of the search results. ImportEntity.png
  5. Click Next.
  6. Use the Select Column page to specify how to classify and store the file column entries that define your entities.
    In this example, we select to import the title column as Entity Title and the hostname column as Entity Alias. SpecifyColumns.png
  7. Configure the following options in the Settings section:
    Option Description
    Service Team

    (Only displayed if you are importing services.)

    The team to create the services in.
    Import Services As

    (Only displayed if you are importing services.)

    Whether services are enabled or disabled upon import.
    Conflict Resolution Determines how ITSI updates and stores your entity data:
    • Skip Over Existing Entities: Adds new entity data to the datastore only if the entity does not already exist. If an entity already exists, the entity is not updated.
    • Update Existing Entities: Merges the imported data and the existing data associated with the entity. Uses the Conflict Resolution field to identify the entity.
    • Replace Existing Entities: Replaces existing entity data with new entity data. Uses the Conflict Resolution field to identify the entity.
    Conflict Resolution Field The field used to merge on. Entities that have the same field value are considered to be the same entity. For example, if there is an entity defined with the same IP then merge into that entity. If Conflict Resolution is set to Update Existing Entities or Replace Existing Entities, ITSI resolves duplicate entities based on this field.

    For more information about Conflict Resolution, see Conflict Resolution examples in ITSI.

  8. In the Preview section, click Entities to be imported to confirm that your entity import configuration is correct.

    The preview shows the entity information you're importing. It doesn't show the final merged entity values.

    PreviewEntityImport.png

  9. Click Import.
    A message appears confirming that the import is complete.
  10. Click the View all Entities link to confirm your imported entities appear in the Entity viewer page.
  11. (Optional) Click Set up Recurring Import to create a modular input for the CSV file. See Set up recurring import of entities in ITSI.
PREVIOUS
Import entities from a CSV file in ITSI
  NEXT
Set up a recurring import of entities in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters