Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.7.0 reached its End of Life on October 28, 2022.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Create a single entity in ITSI

Create a single entity in Splunk IT Service Intelligence (ITSI) to associate events your Splunk platform deployment receives. An entity is an IT component that requires management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that uniquely identify it. Entities contain alias fields and informational fields ITSI associates with indexed events. For more, see Entities in Overview of Service Insights in ITSI in the ITSI Service Insights Manual.

You can associate entities with entity types. Entity types define visualizations and resources for entities. For more, see How ITSI visualizes entity data.

After you create entities, associate them with ITSI services. Use entity rules for services to associate entities with services. For more, see Overview of creating services in ITSI in the ITSI Service Insights Manual.


Requirement Description
ITSI role You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role.


Follow these steps to manually create a single entity.

  1. From the ITSI main menu, go to Configuration > Entities.
  2. Select Create Entity > Create Single Entity.
  3. Configure the following fields to define your entity:
    Field Description
    Name The name of the entity.
    Description Provide a description of the entity. You can view the description from the Entities lister page later.
    Team All entities are created in the Global team. You can't modify this field.

    Field-value pairs that identify the entity. Fields and values are case insensitive. For example:




    If a field has multiple values, separate them with commas. For example, host = webserver-01, webserver-01.splunk.com .

    When creating an entity alias, make sure the key-value pair is unique. ITSI relies on alias key-value pairs to identify entities in visualizations such as Service Analyzer and Episode Review. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.

    Info Fields

    Field-value pairs that associate specific attributes with the entity. Info fields are like common fields, and can have the same values across entities. For example, an info field like datacenter=vault13 can be common to all the entities of the same data center. Fields and values are case insensitive. For example:



    If a field has multiple values, separate them with commas. For example, component=metrics, store.

    Alias and info fields and values have the following restrictions:

    • Unsupported characters in field names: single quotes ('), double quotes ("), dollar sign ($) as the first character, equal sign (=), period (.), and commas (,).
    • Unsupported characters in field values: single quotes ('), double quotes ("), and dollar sign ($) as the first character.
  4. Select existing Entity Types you want to associate the entity with. You can select zero or more entity types. If you don't have existing entity types, create them first. You can edit the entity later and associate it with entity types. For more information about creating entity types, see Configure entity types in ITSI.
  5. Click Create. The entity appears in the Entities and Entity Types page.
Last modified on 27 January, 2021
Send data to Splunk Cloud Platform with ITSI data collection agents
Import entities from a search in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters