Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Import entities from a search in ITSI

Create entities from IT Service Intelligence (ITSI) module searches, saved searches, or ad hoc searches using indexed data coming in your Splunk platform deployment. ITSI uses the itsiimportobjects command to import entities from searches.

For Configuration Management Database (CMDB) integration, you can set up your Splunk platform deployment to directly query the database where the CMDB data is stored so that you can use a search to import the CMDB data into ITSI as entities. You can automate the import from search for ongoing updates. For more information about CMDB integration with ITSI, see the CMDB-to-ITSI app on Splunkbase.

You can import a maximum of 50,000 entities at a time in ITSI. If you attempt to import more than 50,000 entities, only the first 50,000 are imported.

Prerequisites

Requirement Description
ITSI role You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role and access to the Global team.
Indexed data You must have already indexed data you want to associate with entities.

Steps

Follow these steps to import entities from a search in ITSI.

  1. From the ITSI main menu, go to Configuration > Entities.
  2. Select Create Entity > Import from Search.
  3. Select one of the following search types:
    Search Type Description
    Module Choose from a list of pre-defined entity discovery searches based on ITSI modules. For more information about using modules to create entities, see ITSI module entity discovery in the ITSI Modules manual.
    Saved Searches Choose from a list of pre-defined ITSI saved searches.
    Ad hoc Search Enter a custom search string.
  4. Enter an ad hoc search string, or select a predefined module search or saved search. Make sure the results are presented in a table. In this example, the entities are imported using an ad hoc search.
  5. Click the Search icon to view a preview of the search results. EntityImport.png
  6. Click Next.
  7. Under Import Column As, select the appropriate column type for each column. SpecifyColumn.png
    Column type Description
    Entity Title Makes the column entry the entity title. The column is also added as an Entity Alias using <column name> = <value>.
    Entity Description Makes the column entry a description of the entity.
    Entity Alias Makes the column entry a searchable entity identifier. Event Data Search uses aliases to populate recent log events for an entity in the entity health page.

    When creating an entity alias, make sure the key-value pair is unique. ITSI relies on alias key-value pairs to identify entities in visualizations such as Service Analyzer and Episode Review. To identify any duplicate entity aliases in your environment, see the Check for Duplicate Entity Aliases panel of the ITSI Health Check dashboard.

    Entity Information field Makes the column entry a tag that provides user-facing validation. Information fields are like common fields and can have the same values across entities. For example, an info field like datacenter=vault13 can be common to all the entities of the same data center.
    Entity Type Associates the entity with an existing entity type that matches the column entry. If the entity type doesn't already exist, you have to create it first. ITSI ignores entity type column entries that don't already exist.
    Service Title Makes the column entry the name of the service to associate the entity with. The service is created if it does not already exist.
    Service Description Makes the column entry the description of the service.
    Do Not Import Removes the column entry from the imported data.
  8. Configure the following options in the Settings section:
    Option Description
    Service Team

    (Only displays if you are importing services.)

    The team to create the services in.
    Import Services As

    (Only displays if you are importing services.)

    Whether services are enabled or disabled upon import.
    Conflict Resolution Determines how ITSI updates and stores your entity data:
    • Skip Over Existing Entities: Adds new entity data to the datastore only if the entity does not already exist. If an entity already exists, the entity is not updated.
    • Update Existing Entities: Merges the imported data and the existing data associated with the entity. Uses the Conflict Resolution field to identify the entity.
    • Replace Existing Entities: Replaces existing entity data with new entity data. Uses the Conflict Resolution field to identify the entity.
    Conflict Resolution Field The field used to merge on. Entities that have the same field value are considered to be the same entity. For example, if there is an entity defined with the same IP then merge into that entity. If Conflict Resolution is set to Update Existing Entities or Replace Existing Entities, ITSI resolves duplicate entities based on this field.
    For more information about Conflict Resolution, see Resolve conflicts during ITSI entity imports in the ITSI Administration Manual.
  9. In the Preview section, click Entities to be imported to confirm that your entity import configuration is correct.

    The preview shows the entity information you're importing. It doesn't show the final merged entity values.

    PreviewEntityImport.png
  10. Click Import.
    A message appears confirming that the import is complete.
  11. Click the View all Entities link to confirm your imported entities appear in the Entity viewer page.
  12. (Optional) Click Set up Recurring Import to create a saved search that triggers the itsi_import_objects alert action for search results. The alert action uses the itsiimportobjects command to import entities. For more information, see Set up recurring import of entities in ITSI.
Last modified on 04 January, 2021
PREVIOUS
Create a single entity in ITSI
  NEXT
Import entities from a CSV file in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters