Integrate entities from the Splunk App for Infrastructure with ITSI
Integrate with the Splunk App for Infrastructure (SAI) to import entities from SAI into ITSI on a recurring basis. After you enable the integration, entities from SAI are imported into ITSI about every 5 minutes.
The integration is one direction only, from SAI to ITSI. You cannot import a subset of entities. All entities are imported if entity integration is enabled.
- Entities and alerts must be configured in the Splunk App for Infrastructure.
- You must have the
admin_all_objectscapability to manage the integration. The Splunk admin account has this capability by default.
- The Integrate with Splunk App for Infrastructure dialog opens the first time ITSI detects the app on the same Splunk Enterprise instance, and after a service is created in ITSI. If the dialog doesn't open when you log into ITSI, click Configuration > Entities > Manage Integrations.
- Enable the first option (integrate entities) and click Save.
You can also enable integration of alerts at the same time. For information on integrating alerts, see Ingest Splunk App for Infrastructure alerts into ITSI as notable events.
- After integration is complete, click View All Entities or close the dialog and select Configuration > Entities from the top menu bar.
- On the Entities page, filter on
SAIto see the entities that were imported from the Splunk App for Infrastructure. If you don't see entities from the Splunk App for Infrastructure after a few minutes, see Entities from the Splunk App for Infrastructure are not imported into ITSI.
Confirm the integration
- Select an entity imported from SAI to see the Alias and Info fields that have been added for the entity.
- The Entity Name in SAI is used as the entity name, or title, in ITSI.
- An Alias is added for
- Each entity dimension defined in SAI is added as an Info field in the ITSI entity.
- The Info fields
itsi_role = SAIand
sai_entity_key = <key>are added to identify the origin of the entity.
- (Optional) Add additional Alias and Info fields. Any Alias and Info fields you add in ITSI are not overwritten by subsequent updates from Splunk App for Infrastructure.
- On the entities lister page, click View Health on an SAI entity to see detailed health information. Click Splunk App for Infrastructure on the entity health page to open the Entity Overview in SAI.
Entities imported from SAI that meet entity rules for a service are associated with the service.
If you delete an entity in SAI, it is not deleted in ITSI.
How entities are merged
The following table describes how entity data in SAI merges with ITSI entity data.
|An entity in SAI does not exist in ITSI.||The entity is created in ITSI. The following fields are added to the entity:
|A dimension is added to an entity in SAI.||A new |
|An entity dimension is updated in SAI.||The field value is updated for the entity in ITSI. |
For example, if an entity imported from the Splunk App for Infrastructure had the dimension "location: san francisco", then the entity dimension in the Splunk App for Infrastructure changes to "location: seattle", the corresponding
||The entity field in ITSI is retained and is not overwritten by subsequent updates from the Splunk App for Infrastructure.|
|An entity is deleted in SAI.||The entity is not removed in ITSI. You must manually delete the entity in ITSI.|
|An entity in SAI has the same name as an entity in ITSI.||The information from the entities is merged. If a field is present in both the ITSI entity and the SAI entity, the SAI value is used.|
|One entity has a certain
Requirements for integrating the Splunk App for Infrastructure with ITSI
Ingest Splunk App for Infrastructure alerts into ITSI as notable events
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.8.0 Cloud only