topic Re: ITSI Entity import - Add your own saved search in Splunk ITSI

ITSI Entity import - Add your own saved search

JovanMilosevic — Mon, 10 Jul 2017 09:29:45 GMT

I'm trying to import entities using a search. The docs say that I can use a saved search from a predefined list. I want to save my own. I've created a saved search that suits. It doesn't appear in the drop down. I've made it global, and even added it to the SA-IOTA app (Where the predefined ones live). I've tried cloning a predefined one, and amending it. I can never get to use my search in the Entity import.

I'm working in a SHC environment, so I can't save my work as a modular input, so I thought saving my search would at least cut down on the amount of work each time I have to update Entities.

Anyone any ideas how I can add my saved searche to the list of predefined ones ?

Thanks in advance.

Re: ITSI Entity import - Add your own saved search

jkat54 — Mon, 10 Jul 2017 13:54:43 GMT

Did you follow "import from search" directions here?:

http://docs.splunk.com/Documentation/ITSI/2.6.0/Configure/DefineEntities

Re: ITSI Entity import - Add your own saved search

JovanMilosevic — Mon, 10 Jul 2017 14:03:06 GMT

I did.

From the docs...
Saved Searches Lets you choose from a list of pre-defined ITSI saved searches.

My question is "How do I put one of my searches into the list of pre-defined ITSI saved searches", as the current ones don't meet my needs.

Re: ITSI Entity import - Add your own saved search

jkat54 — Mon, 10 Jul 2017 21:17:57 GMT

Is the saved search shared in the app or private to just your user?

Re: ITSI Entity import - Add your own saved search

jkat54 — Mon, 10 Jul 2017 21:21:59 GMT

Oh I see what you're saying now. I'm not sure how to do that but I'll ask around.

Re: ITSI Entity import - Add your own saved search

jkat54 — Mon, 10 Jul 2017 21:54:48 GMT

So it worked fine for me in a single instance.

I edited the Splunk\etc\apps\SA-ITOA\default\savedsearches.conf, copy and pasted an existing search, and slightly modified it. Then i restarted and it shows up under saved searches:

[IT Service Intelligence - asdfGet Windows hosts]
description             = Retrieves a list of hosts generating Windows host data
search                  = | asdfdatamodel Compute_Inventory OS search | search 
All_Inventory.tag=windows | dedup All_Inventory.dest | rename All_Inventory.dest AS dest | table dest
request.ui_dispatch_app = itsi

Re: ITSI Entity import - Add your own saved search

JovanMilosevic — Tue, 11 Jul 2017 09:36:34 GMT

Thanks for the steer.

I created a local directory in the SA-IOTA app on the Search Head Deployer (in $SPLUNK_HOME/etc/shcluster/apps/SA-IOTA), and placed my search savedsearches.conf in the local directory just created. This keeps our searches separate from the Splunk supplied ones, and ensures mine don't get obliterated by an upgrade. When the bundle is deployed, Splunk merges it into default on each Search Head. Job done.

Re: ITSI Entity import - Add your own saved search

jkat54 — Tue, 11 Jul 2017 09:54:18 GMT

I'm curious what the difference was between when you cloned it etc versus when you got it to work. Yes you should put it in local for sure. Sorry I didn't mention that. I just tested default because it was easy.

Re: ITSI Entity import - Add your own saved search

ian_thomas — Mon, 06 Nov 2017 13:49:41 GMT

Wondering how this would behave with a macro in place of the search in savedsearches.conf. Would allow itsi admins without CLI access to update searches.

Thoughts?