Splunk IT Service Intelligence

How to extract the entities in a service as a lookup in ITSI

Path Finder

I have been wracking my poor brain on how to extract the entities from my services in ITSI.

Here is what I want to do. I want to use my configured services and entities to create a lookup to drive my kpi adhoc searches so when and if I have to update the entities in the service the associated searches will pull the correct entities.

I may be trying to go about this the wrong way, so it you have a better suggestion then I am open for new ideas.

Thanks in advance,

0 Karma

Path Finder

Something like that. I want to know what entities are in the service so I can create an adhoc job for the kpi on just those entities. From a lookup table would be ok but I'd rather have the kdi read the data directly from the configuration. That way if I add or remove entities the kpi automatically adjusts.

0 Karma


Are you wanting to extract the entity names? I'm assuming you want to extract the entity names and write them to a lookup table?

0 Karma


Is this what you ar looking for ?

| inputlookup itsi_entities append=true
| rename services._key as service_key
| rename title as entity
| fields entity, service_key
| where isnotnull(service_key)
| mvexpand service_key
| inputlookup service_kpi_lookup append=true
| eval key=coalesce(service_key,_key)
| stats values(entity) as entity, values(title) as service by key
| mvexpand entity
| fields entity service
| sort 0 entity
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...