Splunk IT Service Intelligence

How to extract the entities in a service as a lookup in ITSI

Path Finder

I have been wracking my poor brain on how to extract the entities from my services in ITSI.

Here is what I want to do. I want to use my configured services and entities to create a lookup to drive my kpi adhoc searches so when and if I have to update the entities in the service the associated searches will pull the correct entities.

I may be trying to go about this the wrong way, so it you have a better suggestion then I am open for new ideas.

Thanks in advance,
Rcp

0 Karma

Path Finder

Something like that. I want to know what entities are in the service so I can create an adhoc job for the kpi on just those entities. From a lookup table would be ok but I'd rather have the kdi read the data directly from the configuration. That way if I add or remove entities the kpi automatically adjusts.

0 Karma

SplunkTrust
SplunkTrust

Are you wanting to extract the entity names? I'm assuming you want to extract the entity names and write them to a lookup table?

0 Karma

Explorer

Is this what you ar looking for ?

| inputlookup itsientities append=true
| rename services.
key as servicekey
| rename title as entity
| fields entity, service
key
| where isnotnull(servicekey)
| mvexpand service
key
| inputlookup servicekpilookup append=true
| eval key=coalesce(servicekey,key)
| stats values(entity) as entity, values(title) as service by key
| mvexpand entity
| fields entity service
| sort 0 entity

0 Karma