ITSI Bug ? storeentities commands service_fields o...

vantasy1208 · ‎01-24-2016

Dear ITSI dev dept,

these days i work with splunk ITSI v2.0.0 to monitor our network environment
i want to setup a scheduled search with storeentites command to update my entities periodlcally

my search string is looked like:
... | storeentities identifier_fields="xxx" informational_fields="yyy" service_fields="zzz" insertion_mode=replace

after execute the search , i can see the entities are created with alias and informational fields
but they do not bind to any service.

could u help me to confirm is it a BUG ?
thank u very much

mglauser_splunk · ‎04-26-2016

Hello vantasy1208,

Can you try adding semicolon delimiters to your search and see if it produces more favorable results?

Additionally, please take a look at this documentation page:

http://docs.splunk.com/Documentation/ITSI/latest/Configure/Aboutthestoreentitiescommand

It lists some guidelines that might help you out.

vantasy1208 · ‎01-29-2016

i have updated ITSI to version v2.1.0
the service_fields option seemed to works correctly , even though it is not stable.

but i meet another issue,
after execute storeentities commands,
i go to the configure>entitites pages , i can see title , alias , services column with context.
then i go to the configure>services pages , the entity rules column of each service is null.
so it means that no entities had bind to any services ?

ITSI Bug ? storeentities commands service_fields option does not work

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration