Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Create a single entity in ITSI

Create a single entity in Splunk IT Service Intelligence (ITSI) to associate events your Splunk platform deployment receives. An entity is an IT component that requires management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that uniquely identify it. Entities contain alias fields and informational fields ITSI associates with indexed events. For more, see Entities in the Service Insights manual.

You can associate entities with entity types. Entity types define visualizations and resources for entities. For more information, see Overview of entity types in ITSI.

After you create entities, associate them with ITSI services by using entity rules. For more information about entity rules and configuring services, see Overview of creating services in ITSI in the ITSI Service Insights manual.

Prerequisites

Requirement Description
ITSI role You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role.

Steps

Follow these steps to manually create a single entity.

  1. From the ITSI main menu, go to Configuration > Entities.
  2. Select Create Entity > Create Single Entity.
  3. Configure the following fields to define your entity:
    Field Description
    Name The name of the entity.
    Description Provide a description of the entity. You can view the description from the Entities lister page later.
    Team All entities are created in the Global team. You can't modify this field.
    Aliases

    Field-value pairs that identify the entity. Fields and values are case insensitive. For example:

    host=webserver-01

    IP=10.2.1.1

    MAC=C6:4B:B9:E8:E6:2A

    If a field has multiple values, separate them with commas. For example, host = webserver-01, webserver-01.splunk.com .

    When creating an entity alias, make sure the key-value pair is unique. ITSI relies on alias key-value pairs to identify entities in visualizations such as Service Analyzer and Episode Review, and ensure that information is displayed accurately for each entity. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.

    Info Fields

    Field-value pairs that associate specific attributes with the entity. Info fields are like common fields, and can have the same values across entities. For example, an info field like datacenter=vault13 can be common to all the entities of the same data center. Fields and values are case insensitive. For example:

    role=webserver

    owner=Ops

    If a field has multiple values, separate them with commas. For example, component=metrics, store.

    Alias and info fields and values have the following restrictions:

    • Unsupported characters in field names: single quotes ('), double quotes ("), dollar sign ($) as the first character, equal sign (=), period (.), and commas (,).
    • Unsupported characters in field values: single quotes ('), double quotes ("), and dollar sign ($) as the first character.
  4. Select existing Entity Types you want to associate the entity with. You can select zero or more entity types. If you don't have existing entity types, create them first. You can edit the entity later and associate it with entity types. For more information about creating entity types, see Configure entity types in ITSI.
  5. Click Create. The entity appears in the Entities lister page.
Last modified on 29 July, 2021
PREVIOUS
SKCIntegration
  NEXT
Import entities from a search in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters