Import entities from a search in ITSI
Create entities from IT Service Intelligence (ITSI) module searches, saved searches, or ad hoc searches using indexed data coming in your Splunk platform deployment. ITSI uses the
itsiimportobjects command to import entities from searches.
For Configuration Management Database (CMDB) integration, you can set up your Splunk platform deployment to directly query the database where the CMDB data is stored so that you can use a search to import the CMDB data into ITSI as entities. You can automate the import from search for ongoing updates. For more information about CMDB integration with ITSI, see the CMDB-to-ITSI app on Splunkbase.
You can import a maximum of 50,000 entities at a time in ITSI. If you attempt to import more than 50,000 entities, only the first 50,000 are imported.
|ITSI role||You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role and access to the Global team.|
|Indexed data||You must have already indexed data you want to associate with entities.|
Follow these steps to import entities from a search in ITSI.
- From the ITSI main menu, go to Configuration > Entities.
- Select Create Entity > Import from Search.
- Select one of the following search types:
Search Type Description Module Choose from a list of pre-defined entity discovery searches based on ITSI modules. For more information about using modules to create entities, see ITSI module entity discovery in the ITSI Modules manual. Saved Searches Choose from a list of pre-defined ITSI saved searches. Ad hoc Search Enter a custom search string.
- Enter an ad hoc search string, or select a predefined module search or saved search. Make sure the results are presented in a table. In this example, the entities are imported using an ad hoc search.
- Click the Search icon to view a preview of the search results.
- Click Next.
- Under Import Column As, select the appropriate column type for each column.
Column type Description Entity Title Makes the column entry the entity title. The column is also added as an Entity Alias using
<column name> = <value>.
Entity Description Makes the column entry a description of the entity. Entity Alias Makes the column entry a searchable entity identifier. Event Data Search uses aliases to populate recent log events for an entity in the entity health page.
When creating an entity alias, make sure the key-value pair is unique. ITSI relies on alias key-value pairs to identify entities in visualizations such as Service Analyzer and Episode Review. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.
Entity Information field Makes the column entry a tag that provides user-facing validation. Information fields are like common fields and can have the same values across entities. For example, an info field like
datacenter=vault13can be common to all the entities of the same data center.
Entity Type Associates the entity with an existing entity type that matches the column entry. If the entity type doesn't already exist, you have to create it first. ITSI ignores entity type column entries that don't already exist. Service Title Makes the column entry the name of the service to associate the entity with. The service is created if it does not already exist. Service Description Makes the column entry the description of the service. Do Not Import Removes the column entry from the imported data.
- Configure the following options in the Settings section:
Option Description Service Team
(Only displays if you are importing services.)
The team to create the services in. Import Services As
(Only displays if you are importing services.)
Whether services are enabled or disabled upon import. Conflict Resolution Determines how ITSI updates and stores your entity data:
- Skip Over Existing Entities: Adds new entity data to the datastore only if the entity does not already exist. If an entity already exists, the entity is not updated.
- Update Existing Entities: Merges the imported data and the existing data associated with the entity. Uses the Conflict Resolution field to identify the entity.
- Replace Existing Entities: Replaces existing entity data with new entity data. Uses the Conflict Resolution field to identify the entity.
Conflict Resolution Field The field used to merge on. Entities that have the same field value are considered to be the same entity. For example, if there is an entity defined with the same IP then merge into that entity. If Conflict Resolution is set to
Update Existing Entitiesor
Replace Existing Entities, ITSI resolves duplicate entities based on this field.
- In the Preview section, click Entities to be imported to confirm that your entity import configuration is correct.
The preview shows the entity information you're importing. It doesn't show the final merged entity values.
- Click Import.
A message appears confirming that the import is complete.
- Click the View all Entities link to confirm your imported entities appear in the Entity viewer page.
- (Optional) Click Set up Recurring Import to create a saved search that triggers the
itsi_import_objectsalert action for search results. The alert action uses the
itsiimportobjectscommand to import entities. For more information, see Set up recurring import of entities in ITSI.
Create a single entity in ITSI
Import entities from a CSV file in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4