Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

ITSI entity discovery searches

As of version 4.9, you can no longer use the integration with the Splunk App for Infrastructure (SAI) to import entities from SAI to ITSI. However, your SAI entities can still be discovered as native entities in ITSI. The saved searches are enabled by default and allow you to continue monitoring your infrastructure entities.

The complete list of saved searches are found under the [ITSI Import Objects] stanza in $SPLUNK_HOME/etc/apps/itsi/default/savedsearches.conf. To avoid performance issues caused by excessive search executions, you can disable the entity discovery searches for entities that you're not collecting data from.

Saved search Data Sources Entity Type ITSI Data Integration Method
ITSI Import Objects - AWS Cloudwatch EBS
  • AWS Cloudwatch EBS metrics
N/A Splunk Add-on for AWS
ITSI Import Objects - AWS Cloudwatch EC2
  • AWS Cloudwatch EC2 metrics
N/A Splunk Add-on for AWS
ITSI Import Objects - AWS Cloudwatch ELB
  • AWS Cloudwatch ELB metrics
N/A Splunk Add-on for AWS
ITSI Import Objects - Kubernetes Node
  • Kubernetes Node metrics
  • Kubernetes Node metadata
Kubernetes Node Splunk Connect for Kubernetes
ITSI Import Objects - Kubernetes Pod
  • Kubernetes Pod metrics
  • Kubernetes Pod metadata
Kubernetes Pod Splunk Connect for Kubernetes
ITSI Import Objects - OS
  • System metrics
*nix Unix and Linux Integration - Collectd
ITSI Import Objects - Perfmon
  • System metrics
Windows Perfmon on Splunk Universal Forwarder
ITSI Import Objects - TA *Nix
  • System metrics
Unix/Linux Add-on Unix and Linux Integration - Splunk Add-on for Unix and Linux
ITSI Import Objects - VMWare Cluster
  • VMware Cluster metrics
VMware Cluster VMware
ITSI Import Objects - VMware Datastore
  • VMware Datastore metrics
  • VMware VM/ESXI Datastore metrics
VMware Datastore VMware
ITSI Import Objects - VMware Host
  • VMware ESXi metrics
  • VMware ESXi Host
  • VMware
VMware ESXi Host VMware
ITSI Import Objects - VMware VM
  • VMware VM metrics
VMware VM VMware
ITSI Import Objects - VMware vCenter
  • VMware vCenter metrics
VMware vCenter VMware

Prerequisites

Update search macros

Include the index that you are sending data to as part of the itsi_im_metrics_indexes macro to use the entity discovery saved searches shipped with ITSI. If you are using your own custom saved search, update the macro to include the index that you are sending data to.

You can do this by updating your HEC token configuration to point to the correct ITSI indexes. For more information about updating your HEC tokens, see see Configure the HTTP Event Collector to collect entity integration data in ITSI.

Indexed data

You must have already indexed data you want to associate with entities.

Disable entity discovery searches

You can disable the searches for entity types that are not collecting data in your environment.

To disable the searches, follow these steps:

  1. Navigate to Settings > Searches, Reports, and Alerts.
  2. Filter on ITSI Import Objects to display the entity discovery saved searches. The saved searches are enabled by default.

    Filtering to Owner: Nobody on this page causes the searches to not display. Ensure you filter to Owner: All.

  3. Enable the saved searches by clicking Edit > Disable. For best performance, only enable the searches for the entity types you want to use.

After the searches run, your entities will display on the Infrastructure Overview page, where you can track the entity's status and investigate vital metrics. For more information, see About the Infrastructure Overview in ITSI.

Last modified on 15 November, 2021
PREVIOUS
Import entities from a CSV file in ITSI
  NEXT
Set up a recurring import of entities in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters