Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.5.x will no longer be supported as of April 29, 2022. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Overview of entity types in ITSI

Splunk IT Service Intelligence (ITSI) visualizes entity data using entity types, analysis data filters, and navigations. ITSI has default configurations for supported integrations. Analysis data filters and navigations are components of entity types. You can create custom entity types, analysis data filters, and navigations. For more information about configuring entity types and their components, see, Configure entity types to define entity data sources and visualizations in ITSI.

How ITSI uses entity types

Entity types define how to classify a type of data source. For example, there are Linux, Windows, Kubernetes, and VMware vCenter Server entity types. Entity types can represent physical hosts, containers, virtual environments, and cloud providers.

Each entity type contains zero or more analysis data filters and navigations that define the data sources and visualizations for each entity associated with the entity type. Analysis data filters and navigations are components of entity types. You can create, modify or delete analysis data filters and navigations for a specific entity type. You can't create, modify, or delete a single analysis data filter or navigation for multiple entity types at the same time.

How ITSI uses analysis data filters with entity types

Analysis data filters associate entity types with data sources. Analysis data filters are data collection rules that define data sources. They are split into two data types: metrics and events. Every supported entity type comes with at least one default metrics filter and one default events filter that populates the Analysis Workspace with data. Analysis data filters determine which data you can view in the Entity Analysis Dashboard. For more information about this dashboard, see Investigate entity metrics and logs in the ITSI Entity Analysis Dashboard in the User Manual.

Each analysis data filter contains a static filter for specific data sources and an entity field filter to match data sources to a specific entity. Use static filters to include or exclude specific entity field-value pairs. Use an entity field filter to pass entity-specific information in the navigation URL. Here's an example analysis data filter for metrics for AWS EC2 instances:

{ \
    "title": "AWS EC2 metrics", \
    "type": "metrics", \
    "static_filter": { \
        "type": "include", \
        "field": "metric_name", \
        "values": ["AWS/EC2.*"] \
    }, \
    "entity_field_filter": { \
        "type": "entity", \
        "data_field": "InstanceId", \
        "entity_field": "InstanceId" \
    } \
}, \

The static_filter captures all events where metric_name = AWS/EC2.*. ITSI correlates a metric or log event to an entity when the data_field of the event matches the entity_field of the entity. The entity_field can be any entity alias or entity information field you associated with an entity.

How ITSI uses navigations with entity types

Navigations define parameters to send to a URL for an entity type. Use navigations to specify a URL that points to a dashboard or other resource for the entity and a set of parameters that let you specify entity information to pass as part of the URL parameters.

You can view navigations from an entity's information panel in the entity health page. Default AWS and Microsoft Azure entity types have a default navigation that displays a dashboard in an entity's Overview Dashboard.

Default entity types, analysis data filters, and navigations

Entity types and their analysis data filters and navigations are defined in $SPLUNK_HOME/etc/apps/SA-ITOA/default/itsi_entity_type.conf. For more information about each entity type, analysis data filter, and navigation, see itsi_entity_type.conf in the Administration Manual.

Entity type Analysis data filter Navigation
  • System metrics
  • *nix logs
  • System metrics
  • Windows logs
Kubernetes Node
  • Kubernetes Node metrics
  • Kubernetes Node logs
  • Kubernetes Node metadata
Kubernetes Pod
  • Kubernetes Pod metrics
  • Kubernetes Pod logs
  • Kubernetes Pod metadata
VMware ESXi Host
  • VMware ESXi metrics
  • VMware Inventory logs
  • VMware Tasks logs
  • VMware ESXi Hosts Events logs
  • VMware ESXi logs
VMware VM
  • VMware VM metrics
  • VMware Inventory logs
  • VMware Tasks logs
VMware Cluster
  • VMware Cluster metrics
  • VMware Inventory logs
  • VMware Cluster Events logs
VMware vCenter
  • VMware vCenter metrics
  • VMware Inventory logs
  • VMware vCenter Tasks and Events logs
  • VMware vCenter logs
Last modified on 13 August, 2020
Resolve conflicts during ITSI entity imports
Create entity types in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters