Related Answers
Download topic as PDF
Create a single entity in ITSI
Create a single entity in Splunk IT Service Intelligence (ITSI) to associate events your Splunk platform deployment receives. An entity is an IT component that requires management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that uniquely identify it. Entities contain alias fields and informational fields ITSI associates with indexed events. For more, see Entities in Overview of Service Insights in ITSI in the ITSI Service Insights Manual.
You can associate entities with entity types. Entity types define visualizations and resources for entities. For more, see How ITSI visualizes entity data.
After you create entities, associate them with ITSI services. Use entity rules for services to associate entities with services. For more, see Overview of creating services in ITSI in the ITSI Service Insights Manual.
Prerequisites
| Requirement | Description |
|---|---|
| ITSI role | You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role. |
Steps
Follow these steps to manually create a single entity.
- From the ITSI main menu, go to Configuration > Entities.
- Select Create Entity > Create Single Entity.
- Configure the following fields to define your entity:
Field Description Name The name of the entity. Description Provide a description of the entity. You can view the description from the Entities lister page later. Team All entities are created in the Global team. You can't modify this field. Aliases Field-value pairs that identify the entity. Fields and values are case insensitive. For example:
host=webserver-01IP=10.2.1.1MAC=C6:4B:B9:E8:E6:2A
If a field has multiple values, separate them with commas. For example,host = webserver-01, webserver-01.splunk.com.When creating an entity alias, make sure the key-value pair is unique. ITSI relies on alias key-value pairs to identify entities in visualizations such as Service Analyzer and Episode Review. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.
Info Fields Field-value pairs that associate specific attributes with the entity. Info fields are like common fields, and can have the same values across entities. For example, an info field like
datacenter=vault13can be common to all the entities of the same data center. Fields and values are case insensitive. For example:role=webserverowner=Ops
If a field has multiple values, separate them with commas. For example,component=metrics, store.Alias and info fields and values have the following restrictions:
- Unsupported characters in field names: single quotes ('), double quotes ("), dollar sign ($) as the first character, equal sign (=), period (.), and commas (,).
- Unsupported characters in field values: single quotes ('), double quotes ("), and dollar sign ($) as the first character.
- Select existing Entity Types you want to associate the entity with. You can select zero or more entity types. If you don't have existing entity types, create them first. You can edit the entity later and associate it with entity types. For more information about creating entity types, see Configure entity types in ITSI.
- Click Create. The entity appears in the Entities and Entity Types page.
|
PREVIOUS Send data to Splunk Cloud Platform with ITSI data collection agents |
NEXT Import entities from a search in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4
Feedback submitted, thanks!