Splunk® IT Service Intelligence

SAI Integration

Download manual as PDF

Download topic as PDF

Integrate the Splunk App for Infrastructure with ITSI

Integrate the Splunk App for Infrastructure (SAI) with IT Service Intelligence (ITSI) to correlate server metrics with events and metrics from other layers of the IT stack for higher level monitoring. You can drill directly into the SAI from ITSI to get detailed entity, group, and alert information for seamless troubleshooting.

Integrating SAI with ITSI lets you do the following:

  • Ingest entities from SAI
  • Ingest alerts from SAI as notable events
  • Create services from SAI entities

The integration is one direction only, from SAI to ITSI. When enabled, entities and alerts continuously update in ITSI from the SAI. Service templates are available to create services with pre-built KPIs and entity rules.

Use cases

For existing SAI users, integrating with ITSI enables you to get a service-level view of your IT infrastructure while continuing to use SAI for entity and group-level monitoring. This enables faster troubleshooting and remediation by linking server health to service KPIs and notable events to see the big picture of overall service and business health.

For existing ITSI users, ingesting entities and alerts from SAI into ITSI lets you build KPIs and services from entities and groups, and correlate alerts from SAI with other events and data sources in ITSI. Additionally, ITSI lets you apply machine learning to the entity-level data to detect anomalies and aggregate the event data with machine learning algorithms to reduce event noise.

Integrate with the Splunk App for Infrastructure

The first time ITSI detects SAI on the same Splunk Enterprise instance, a dialog opens asking if you want to integrate with the SAI.

  1. Open ITSI.
  2. Perform one of the following steps to integrate ITSI with SAI:
    1. The first time you create a service in ITSI, the Integrate with Splunk App for Infrastructure dialog opens if ITSI detects SAI on the same Splunk Enterprise instance. Both integration options are enabled by default, and you can select to integrate now or later.
    2. If the "Integrate with Splunk App for Infrastructure" dialog does not open, manually enable the integration. Go to Configure > Entities > Manage Integrations and enable.
  3. After you receive the message that integration is complete, click View All Entities or close the dialog and select Configure > Entities from the top menu bar.
  4. On the Entities page, filter on SAI to see the entities that were imported from SAI. If you don't see entities from SAI after a few minutes, see Entities from the Splunk App for Infrastructure are not imported into ITSI. Entities imported from SAI that meet entity rules for a service are associated with the service.

Entities that are deleted in SAI are not removed in ITSI.

Manually enable or disable integration

You can manually enable or disable the integration between SAI and ITSI:

  • If you did not select to integrate, you can manually enable entity and alert integration.
  • If you want to stop the integration, you can manually disable entity and alert integration.

Manually enable entity and alert integration

  1. Log in to the Splunk platform with a Splunk admin account.
  2. In ITSI, click Configure > Entities.
  3. Click Manage Integrations.
  4. Enable the options Integrate entities so ITSI has the latest entity information and Integrate alerts so you can manage all alerts in ITSI.
  5. Click Save.
  6. After you receive the message that integration is complete, click View All Entities or close the dialog and select Configure > Entities from the top menu bar.
  7. On the Entities page, filter on SAI to see the entities that were imported from SAI. Entities from SAI are imported into ITSI and update about every 5 minutes. For information about alert integration, see Ingest Splunk App for Infrastructure alerts into ITSI as notable events.
    Note: If you don't see entities from SAI after a few minutes, see Entities from the Splunk App for Infrastructure are not imported into ITSI.

Manually disable entity and alert integration

  1. Log in to the Splunk platform with a Splunk admin account.
  2. In ITSI, click Configure > Entities.
  3. Click Manage Integrations.
  4. Disable Integrate entities so ITSI has the latest entity information and Integrate alerts so you can manage all alerts in ITSI option.
  5. Click Save.
    ITSI will no longer receive updated entity and alert information from SAI. However, the entities and alerts that are already imported remain. You must delete them manually in ITSI if you no longer want them.

How the integration works

A modular input called "Splunk App for Infrastructure - Entity Migration" publishes entities from SAI to the entity exchange.

A modular input called "IT Service Intelligence Entity Exchange Consumer Modular Input" enables ITSI to consume the entities from the entity exchange. This modular input runs on a regular interval as defined in SA-ITOA/Default/inputs.conf (default is every 300 seconds). This modular input is enabled by default and you don't need to take any action to make it work.

[itsi_entity_exchange_consumer://itsi_entity_exchange_consumer1]
interval = 300

Performance considerations

By default, the entity integration imports up to 50,000 entities from SAI. If you have more than 50,000 entities in SAI, only the first 50,000 import into ITSI.

To import more than 50,000 entities, increase the max_rows_per_query setting in $SPLUNK_HOME/etc/apps/SA-ITOA/local/limits.conf under the [kvstore] stanza to be higher than the number of entities in SAI.

[kvstore]
# The maximum number of rows that will be returned for a single query to a collection.
# If the query returns more rows than the specified value, then returned result set 
will contain the number of rows specified in this value.
# Default: 50000
max_rows_per_query = 50000

See also

See the following topics for more information.

Last modified on 19 March, 2020
  NEXT
Requirements for integrating the Splunk App for Infrastructure with ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.0, 4.4.1, 4.4.2, 4.4.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters