Set up a recurring import of entities in ITSI
After you bulk import entities in (ITSI), you can configure recurring imports to update existing entities and create new entities. ITSI uses a saved search for recurring imports. If you have existing, recurring imports from a CSV file that use modular inputs for the import action, those recurring imports continue to work, but you can't create new recurring imports from a CSV file with a modular input.
If you performed a bulk import from a Splunk search, configure a recurring import in Splunk Web. ITSI creates a saved search that triggers the
itsi_import_objects alert action for search results. The alert action uses the
itsiimportobjects command to import entities.
If you performed a bulk import from a CSV file, deploy a universal forwarder to monitor the file and send data to indexes ITSI uses to create and update entities. When ITSI indexes the data, import events from a Splunk search and then set up a recurring import using a saved search.
|ITSI role||You have to log in as a user with the itoa_admin or itoa_team_admin role.|
|Entity creation||Before setting up a recurring import of entities, you have to have already imported entities from a Splunk search or CSV file.|
Set up a recurring entity import from a CSV file
Follow these steps to create a recurring entity import from data you store in a CSV file. You have to set up a universal forwarder on the system you store the CSV file to monitor the file and send data to your Splunk platform deployment, run an import from a Splunk search, and finally set up a recurring import from the Splunk search.
For more information about monitoring files, see Monitor files and directories in the Splunk Enterprise Getting Data In manual.
You can't set up a recurring import directly from a CSV file in Splunk Web. Instead, follow these steps:
- Download and install a universal forwarder on the system that stores the CSV file. For information about setting up a universal forwarder, see Install the universal forwarder software in the Splunk Universal Forwarder Forwarder Manual.
- To enable the forwarder to send data to Splunk Cloud Platform, download the universal forwarder credentials file. For instructions, see the appropriate topic for the operating system that stores the CSV file in the Introduction to Getting Data In chapter of the Splunk Cloud Platform Admin Manual. This chapter includes instructions for getting data in from Amazon Web Services, Microsoft Azure, *nix, Windows, and local files and directories.
- If your Splunk platform deployment wasn't configured for receiving yet, configure receiving now. For more information, see Enable a receiver in the Splunk Enterprise Forwarding Data manual.
- Configure forwarding on the universal forwarder. For more information, see Configure the universal forwarder using configuration files in the Splunk Universal Forwarder Forwarder Manual.
- Configure the universal forwarder to monitor the CSV file that contains data you want to import to ITSI where necessary. as entities. Use
monitorstanzas in the inputs.conf file on the universal forwarder to monitor the CSV file and send data to your Splunk platform deployment. An example
monitorstanza looks like this:If the file ends with
[monitor:///path/to/my/file.csv] disabled = 0 sourcetype = csv
.csv, you don't have to specify the source type. For more information about configuring a universal forwarder to monitor the CSV file, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In manual.
- Restart the universal forwarder:
- Once data from the CSV file is indexed in your Splunk platform deployment that runs ITSI , manually import entities from a Splunk search. For more information about manually importing entities from a Splunk search, see Manually import entities from a Splunk search in ITSI .
- Set up a recurring import from the import with a Splunk search.
Set up a recurring entity import from a Splunk search
Follow these steps to create a recurring entity import from a Splunk search.
The recurring import search executes as
splunk-system-user, which returns entities from datasets that exist in indexes that the user creating the import might not have access to.
To set up a recurring import, you must have already set up an entity import from a Splunk search. For more information, see Manually import entities from a Splunk search in ITSI .
- After the import from the search process is complete, click Set up Recurring Import.
- Provide a name for the recurring import.
- Set the scheduled time and frequency to run the import.
- Click Submit. ITSI creates a new saved search in the savedsearches.conf file. The name of the saved search is
ITSI Import Objects - <importName>, where
importNameis the name of the import you specified when setting up the recurring import. The saved search triggers an alert action which runs a search command to add entities to ITSI.
Note: Configure the scheduled time based on the Splunk server's timezone.
Modify or delete a recurring import
Modify or delete the saved search ITSI created when you configured the recurring import from a search. Follow these steps to modify or delete a recurring import from a search.
- From Splunk Web, go to Settings > Searches, reports, and alerts.
- Find the saved search ITSI created when you configured the recurring import. By default, the name of the saved search starts with
ITSI Import Objects.
- Click Edit and select among these options to modify the saved search:
Option Description Edit Search Change the description, search string, earliest time, or latest time for the recurring import. Edit Schedule Change the time interval to control how often the recurring import runs. Advanced Edit Change the field settings for the recurring import. For example, you can change the entity title and other parameters from here.
- If you want to delete the recurring import, click Edit and select Delete for the corresponding saved search.
ITSI entity discovery searches
Generate pseudo entities in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.1 Cloud only, 4.5.0 Cloud only, 4.6.0 Cloud only, 4.5.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only