Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence (ITSI) version 4.9.x will reach its End of Life on April 21, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Edit a default entity type in ITSI

Every entity type comes with at least one default metrics filter and one default events filter that populates the Analysis Workspace with data. You can edit a default entity type in the ITSI user interface or through an ITSI REST API endpoint. You can delete a custom entity type in ITSI, but you can't delete a default entity type. For a list of default entity types in ITSI, see Default entity types and their properties.

Prerequisites

Requirement Description
ITSI roles You need to log in as a user with the itoa_admin or itoa_team_admin role.

Edit a default entity type in the ITSI user interface

Perform the following steps to edit a default entity type in ITSI:

  1. From the ITSI main menu, click Configuration > Entities.
  2. Click Entity Types.
  3. Click Edit on the entity type you want to edit.
  4. After you make your changes, click Save.

Edit a default entity type through the REST API

You can edit a default entity type through the ITSI REST API. You can delete custom entity types that you create, but you can't delete the default entity types included with ITSI. For more information, see ITSI REST API reference in the ITSI REST API reference manual.

servicesNS/nobody/SA-ITOA/itoa_interface/entity_type

The following example shows how to edit an entity type through the ITSI REST API.

GET

Get a list of entity types in your environment.

Request parameters
N/A

Data payload:
N/A
Return
A list of entity types.
Example request

curl -k -u admin:password https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity_type

POST

Edit an entity type.

Request parameters
N/A

Data payload:
N/A
Return
The updated object key.
Example request

curl -k -u admin:password -X POST -H "Content-Type: application/json" https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity_type/<entity-type-key> -d '{ "title": "<new entity type name>", "description": "Windows type", "data_drilldowns": [{"type": "metrics", "title": "System metrics", "static_filter": {"type": "include", "field": "metric_name", "values": ["*"]}, "entity_field_filter": {"type": "entity", "entity_field": "host", "data_field": "host"}}, {"type": "events", "title": "Windows logs", "static_filter": {"type": "include", "field": "sourcetype", "values": ["*"]}, "entity_field_filter": {"type": "entity", "entity_field": "host", "data_field": "host"}}], "_key": "windows", "dashboard_drilldowns": [{"id": "windows_overview_dashboard", "base_url": "", "is_splunk_dashboard": false, "title": "Windows Overview Dashboard", "params": {"static_params": {}, "alias_param_map": []}}]}'


DELETE

Delete entity types.

Request parameters
N/A

Data payload:
N/A
Return
204 success message if you delete a custom entity type.
400 error if you try to delete a default entity type.
Example request

curl -k -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity_type/<_key>

Configure vital metric alerts

You can configure alerts that generate notable events when vital metrics cross your established thresholds. Below displays the UI for the vital metric alert configuration:

The user interface displaying options to edit entity types and configure a vital metric alert.

Perform the following steps to configure vital metric alerts for default entity types:

  1. From the ITSI main menu, click Configuration > Entities.
  2. Click Entity Types.
  3. Click Edit on the entity type you want to edit.
  4. Expand the Vital Metrics (optional) section and select the vital metric that you want to create an alert for. The alert will be applied to all entities categorized under the entity type that you create the alert for.
  5. In the Alerting section, click Add Alert. The alert is enabled by default.
  6. In the alert window, set the alert schedule, a time to suppress the alert after it is fired, and alert thresholds for the vital metric.
  7. Set up trigger conditions for the thresholds. The Critical threshold is required. You can adjust this threshold value, but the threshold cannot be deleted.
    1. (Optional) Click Add a threshold level to create a Warning threshold.
    2. For the If metric is field, select greater than or less than to set the threshold hierarchy. If you select greater than, the Critical threshold is a maximum threshold. If you select less than, the Critical threshold is a minimum threshold.
  8. Click Save.
  9. After configuring a vital metric alert, a new saved search is created in the local savedsearches.conf. For example, if you create a vital metric for Average CPU Usage for the *nix entity type, you'll see a searched called [ITSI Vital Metric Alert - Average CPU Usage Alert for *nix entity type]. When you remove an alert, the saved search will be deleted.

Next Steps

Last modified on 22 June, 2021
PREVIOUS
Overview of entity types in ITSI 		  NEXT
Create custom entity types in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters