Related Answers
Download topic as PDF
Create entity types in ITSI
You can create custom entity types to associate particular analysis data filters and navigations with custom entities. For more information about default entity types and analysis data filters, see How ITSI visualizes entity data.
You have to create analysis data filters and navigations for each entity type. Analysis data filters and navigations are components of entity types, and can't exist independent of entity types.
Entity types and their components are defined in $SPLUNK_HOME/etc/apps/SA-ITOA/default/itsi_entity_type.conf. To edit or create entity types, add entity type stanzas to $SPLUNK_HOME/etc/apps/SA-ITOA/local/itsi_entity_type.conf. For more information, see itsi_entity_type.conf in the Administration Manual.
Here's an example entity type for a VMware cluster entity with events and metrics analysis data filters and a single default Entity Overview Dashboard. Analysis data filters are called data_drilldowns and Entity Overview Dashboards are called dashboard_drilldowns. Each analysis data filter has example static filters and entity filters.
Example VMware Cluster entity type
[vmware_cluster]
title = VMware Cluster
description = VMware Cluster type
data_drilldowns = [ \
{ \
"title": "VMware Cluster metrics", \
"type": "metrics", \
"static_filter": { \
"type": "include", \
"field": "metric_name", \
"values": ["vsphere.cluster.*"] \
}, \
"entity_field_filter": { \
"type": "and", \
"filters": [ \
{ \
"type": "entity", \
"data_field": "moid", \
"entity_field": "moid" \
}, \
{ \
"type": "entity", \
"data_field": "vcenter", \
"entity_field": "vcenter" \
} \
] \
} \
}, \
{ \
"title": "VMware Inventory logs", \
"type": "events", \
"static_filter": { \
"type": "include", \
"field": "index", \
"values": ["vmware-inv"] \
}, \
"entity_field_filter": { \
"type": "entity", \
"data_field": "moid", \
"entity_field": "moid" \
} \
}, \
{ \
"title": "VMware Cluster Events logs", \
"type": "events", \
"static_filter": { \
"type": "and", \
"filters": [ \
{ \
"type": "include", \
"field": "index", \
"values": [ \
"vmware-taskevent" \
] \
}, \
{ \
"type": "include", \
"field": "sourcetype", \
"values": [ \
"vmware:events" \
] \
}, \
{ \
"type": "include", \
"field": "computeResource.computeResource.type", \
"values": [ \
"ClusterComputeResource" \
] \
} \
] \
}, \
"entity_field_filter":{ \
"type": "entity", \
"data_field": "computeResource.computeResource.moid", \
"entity_field": "moid" \
} \
} \
]
dashboard_drilldowns = []
Create an entity type
Create entity types to logically group entities together and and associate them with relevant dashboards and drilldown links. View and manage entity types from the entity types lister page.
Use the entity type's name to associate entities with it. When you import entities from a Splunk search or CSV, you have to include a column entry that exactly matches the name of an existing entity type, otherwise the import process ignores the entity type field. For more information, see Associate entities with an entity type in ITSI.
Associate navigations and analysis data filters with an entity type to power entity visualizations. These components populate dashboards for entities you associate with an entity type. For more information about how these components help you visualize entity data, see How ITSI visualizes entity data.
Prerequisites
| Requirement | Description |
|---|---|
| ITSI roles | You need to log in as a user with the itoa_admin or itoa_team_admin role.
|
Steps
When you create an entity type, you can also add navigations and analysis data filters for it. If you don't add navigations or analysis data filters now, you can add them later.
Step 1: Create an entity type
- From the ITSI main menu, go to Configuration > Entities.
- Select the Entity types tab.
- Click Create Entity Type.
- Specify entity type information. Enter an Entity type name to reference the entity type.
- Optionally, provide a description of the entity type for yourself or other users.
Navigations are external URLs that pass entity parameters in the URL that belong to the entity type. For example, if you enter http://buttercup.com as the URL and make the entity parameter host=hostname, the resulting link will be http://www.butter.com?hostname=splunk.com, if the entity has a host value equal to "splunk.com".
If you enter a single word as the URL, like user_dashboard, ITSI assumes you entered a custom dashboard in Splunk. The resulting link would be <user_splunk_host>:<port>/en-US/app/itsi/user_dasboard.
Configure the following fields:
| Field | Description |
|---|---|
| Navigation name | A name to reference the navigation later. You see this name as a link on the side panel of the entity health page. It should be a unique name. |
| URL | The resource you want to associate with entities that belong to the entity type. It can be a Splunk Web URL or a completely external URL. |
| Entity parameters | Optionally, specify parameters to pass information about entities in the URL when you go to the navigation. Select entity informational fields or alias fields from the dropdown menu. The field has to already exist in ITSI. If you want to add entity fields for the navigation that don't already exist in ITSI, you can save the configuration and come back later to add them once entities contain those fields. |
Click Save navigation when you're done.
Step 3: Add analysis data filters to your entity type
Analysis data filters determine which data sources you associate with the entity for visualizations in the Entity Analysis Dashboard. You can create filters to define data sources for metrics and logs here.
| Field | Description |
|---|---|
| Analysis data filter | Enter a name to reference the filter later. You can see metrics and events associated with each filter from the Entity Analysis Dashboard. You can add multiple static filters and entity filters to define as broad or specific an analysis data filter as needed. You can also include multiple analysis data filters for each entity type. |
| Type | Whether the filter is for metrics or events. Each filter can define data sources for only metrics or only events, not both. Add multiple filters to define data sources for metrics and events. |
| Static filter | Add field-value pairs to define a data source. This filter isn't entity-specific. It can be as broad or specific as you want it to be. For example, use region = us-west-1 to include data from every entity with a region field in us-west-1, use metric_name = windows.* to include entity data for all Windows metrics. To take it a step further, you could use metric_name = windows.CPUUtilization.average to view data about only average Windows CPU utilization.
|
| Entity filter | Field-value pairs to define entities associated with data that's defined in the static filter. This filter is entity-specific. For example, you can use host = buttercupgames.splunk.com or ip = 127.0.0.1.
|
Click Save to save the analysis data filter and apply it to the entity type.
|
PREVIOUS Overview of entity types in ITSI |
NEXT Associate entities with an entity type in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only
Feedback submitted, thanks!