All Apps and Add-ons

How can I trim short lifetime entities from SAI

yannK
Splunk Employee
Splunk Employee

I have SAI/ Splunk App for Infrastructure automatically detecting new entities.

But as I use VMs and Containers, it detects many entities that have a short lifetime, usually they deleted after a day or 2. In the UI it tags them as state=inactive, because there are no new events.

I would like to remove them from SAI a few days after they go inactive, to clean up. Can it be done and can it be automated ?

Labels (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

Answer :

- As of SAI 2.0.2 there is not yet an automatic clean up. You can vote for the feature here : https://ideas.splunk.com/ideas/ITSIID-I-48

- The SAI UI let you delete entities (individually, or in mass), but it's not automatic.

- Workaround : 

The entities in SAI are in a lookup, you can setup a search that will read the lookup, filter to keep only active entities and inactive ones that are old. Then replace the lookup content. It can be scheduled as search to run once a while. ( daily or weekly)

Example to keep only active entities, and inactive entities (that were untouched in the last 7 days)

 

| inputlookup em_entities 
|  eval updates_date_threshold=now()-(7*24*60*60)
|  search state="active" OR (state="inactive" AND updated_date>updates_date_threshold )
| outputlookup em_entities 

 

 

 

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

Answer :

- As of SAI 2.0.2 there is not yet an automatic clean up. You can vote for the feature here : https://ideas.splunk.com/ideas/ITSIID-I-48

- The SAI UI let you delete entities (individually, or in mass), but it's not automatic.

- Workaround : 

The entities in SAI are in a lookup, you can setup a search that will read the lookup, filter to keep only active entities and inactive ones that are old. Then replace the lookup content. It can be scheduled as search to run once a while. ( daily or weekly)

Example to keep only active entities, and inactive entities (that were untouched in the last 7 days)

 

| inputlookup em_entities 
|  eval updates_date_threshold=now()-(7*24*60*60)
|  search state="active" OR (state="inactive" AND updated_date>updates_date_threshold )
| outputlookup em_entities 

 

 

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...