Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.7.0 reached its End of Life on October 28, 2022.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Use custom indexes in ITSI

You can create custom indexes to store metrics and log data for Splunk IT Service Intelligence (ITSI) entity integrations. For more information about creating custom indexes, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers guide.

The default metrics index for entity metrics data is em_metrics. To use another metrics index, you have to update the sai_metrics_indexes search macro to include the index. You can include multiple metrics indexes in the search macro.

Use custom entity metrics indexes

Metrics you collect with ITSI entity integrations need to have the em_metrics source type. This source type performs important data transforms before indexing. Use the em_metrics source type with any custom metrics index you create.

Metrics you collect for default entity classes with a supported data collection method include the em_metrics source type. Metrics for custom entity classes may not include the required source type. When you include the required source type at the index level, all data you send to the index includes the required source type.

Include a custom metrics index in the sai_metrics_indexes search macro so you can monitor hosts in your infrastructure that send data to the custom index. You can add multiple metrics indexes to the metrics index macro.

  1. Go to Settings > Advanced search and select Search macros.
  2. Select the sai_metrics_indexes macro.
  3. For the Definition, include the custom index you want to use. If you use multiple metrics indexes, add each one like this: 
    index = linux_metrics OR index = windows_metrics
  4. When you're done, save the macro.
  5. Go to Settings > Data inputs and select HTTP Event Collector.
  6. For the HEC token you use to collect metrics, update the allowed indexes list and specify a new Default Index.
  7. When you're done, save the configuration.

Use custom entity metrics indexes for entity types

The vital metrics displayed on the Infrastructure Overview page are based on macros with the format itsi_entity_type_*. Update this macro to include a custom metrics index so you can monitor hosts in your infrastructure that send data to the custom index. You can add multiple metrics indexes to the itsi_entity_type_* macro.

  1. Go to Settings > Advanced search and select Search macros.
  2. Select the itsi_entity_type_* macro.
    3. For example, the itsi_entity_type_nix_metrics_indexes is a macro for the Linux entity type.
  3. For the Definition, include the custom index you want to use. If you use multiple metrics indexes, add each one like this: 
    index = em_metrics OR index = linux_metrics
  4. When you're done, save the macro.
Last modified on 13 January, 2022
PREVIOUS
Configure the HTTP Event Collector to collect entity integration data in ITSI 		  NEXT
Configure a universal forwarder to send data to ITSI in Splunk Cloud Platform

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0 Cloud only, 4.8.1 Cloud only

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters