Splunk® IT Service Intelligence

SAI Integration

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Integrate entities from the Splunk App for Infrastructure with ITSI

Integrate with the Splunk App for Infrastructure (SAI) to import entities from SAI into ITSI on a recurring basis. After you enable the integration, entities from SAI are imported into ITSI about every 5 minutes.

The integration is one direction only, from SAI to ITSI. You cannot import a subset of entities. All entities are imported if entity integration is enabled.

Prerequisites

  • Entities and alerts must be configured in the Splunk App for Infrastructure.
  • You must have the admin_all_objects capability to manage the integration. The Splunk admin account has this capability by default.

Steps

  1. The Integrate with Splunk App for Infrastructure dialog opens the first time ITSI detects the app on the same Splunk Enterprise instance, and after a service is created in ITSI. If the dialog doesn't open when you log into ITSI, click Configuration > Entities > Manage Integrations.
  2. Enable the first option (integrate entities) and click Save.
    You can also enable integration of alerts at the same time. For information on integrating alerts, see Ingest Splunk App for Infrastructure alerts into ITSI as notable events.
  3. After integration is complete, click View All Entities or close the dialog and select Configuration > Entities from the top menu bar.
  4. On the Entities page, filter on SAI to see the entities that were imported from the Splunk App for Infrastructure. If you don't see entities from the Splunk App for Infrastructure after a few minutes, see Entities from the Splunk App for Infrastructure are not imported into ITSI.

Confirm the integration

  1. Select an entity imported from SAI to see the Alias and Info fields that have been added for the entity.
    • The Entity Name in SAI is used as the entity name, or title, in ITSI.
    • An Alias is added for host = <entity name>.
    • Each entity dimension defined in SAI is added as an Info field in the ITSI entity.
    • The Info fields itsi_role = SAI and sai_entity_key = <key> are added to identify the origin of the entity.
  2. (Optional) Add additional Alias and Info fields. Any Alias and Info fields you add in ITSI are not overwritten by subsequent updates from Splunk App for Infrastructure.
  3. On the entities lister page, click View Health on an SAI entity to see detailed health information. Click Splunk App for Infrastructure on the entity health page to open the Entity Overview in SAI.

Entities imported from SAI that meet entity rules for a service are associated with the service.

If you delete an entity in SAI, it is not deleted in ITSI.

How entities are merged

The following table describes how entity data in SAI merges with ITSI entity data.

Condition Result
An entity in SAI does not exist in ITSI. The entity is created in ITSI. The following fields are added to the entity:
  • The Entity Name in SAI is used as the Entity Name (or Title) in ITSI.
  • An Alias is added for host = <entity name>.
  • Each entity dimension defined in SAI is added as an Info field for the entity in ITSI.
  • The Info field itsi_role=SAI is added to identify the origin of the entity.
A dimension is added to an entity in SAI. A new Info field is added to the entity in ITSI.
An entity dimension is updated in SAI. The field value is updated for the entity in ITSI.
For example, if an entity imported from the Splunk App for Infrastructure had the dimension "location: san francisco", then the entity dimension in the Splunk App for Infrastructure changes to "location: seattle", the corresponding Info field value in ITSI (location=san francisco) is replaced with the updated value from Splunk App for Infrastructure (location=seattle).
A new Alias or Info field is added to an entity in ITSI that was imported from the Splunk App for Infrastructure. The entity field in ITSI is retained and is not overwritten by subsequent updates from the Splunk App for Infrastructure.
An entity is deleted in SAI. The entity is not removed in ITSI. You must manually delete the entity in ITSI.
An entity in SAI has the same name as an entity in ITSI. The information from the entities is merged. If a field is present in both the ITSI entity and the SAI entity, the SAI value is used.
One entity has a certain Info field, and the other entity has the same field as an Alias. The Info field is removed and the Alias field is kept.
Last modified on 27 April, 2020
PREVIOUS
Requirements for integrating the Splunk App for Infrastructure with ITSI
  NEXT
Ingest Splunk App for Infrastructure alerts into ITSI as notable events

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.8.0 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters