Splunk IT Service Intelligence

ITSI how to obtain the same information found in gui for Entities and Services within a search

theprophet01
Explorer

Hello!

I would like to run a search which would display all information regarding entities and services.

For example, for Entities where could I find information stored for: Entity Description, Entity Information Field, Entity Title.

For Services, where could I find information stored for: Service Description, Service Title, Service Tags

What type of search query could I run to find this information?

Thanks,

Labels (4)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @theprophet01,

To get a summary of entities with their info tags you can run the excellent query by sandrosov_splun:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval info_fields=spath(value,"informational.fields{}"),
    alias_fields=spath(value,"identifier.fields{}"),
    entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name") 
| appendpipe 
    [| mvexpand alias_fields 
    | eval field_value = spath(value,alias_fields."{}"), field_type="alias" 
    | rename alias_fields as field_name
        ] 
| appendpipe 
    [| where isnull(field_type) 
    | mvexpand info_fields 
    | eval field_value = spath(value,info_fields."{}"), field_type="info" 
    | rename info_fields as field_name
        ] 
| where isnotnull(field_type) 
| table entity_id entity_name entity_title field_name field_value field_type

This will give you results similar to this:

danspav_1-1714348237563.png

To list the services, you can call the "getservice" custom command that comes with ITSI:

| getservice
| table title, serviceid, description, service_tags, kpis, service_depends_on, services_depending_on_me, enabled, base_service_template_id, entity_rules, *

That gives you these results:

danspav_2-1714348371312.png

 

Cheers,

Daniel

 

View solution in original post

danspav
SplunkTrust
SplunkTrust

Hi @theprophet01,

To get a summary of entities with their info tags you can run the excellent query by sandrosov_splun:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval info_fields=spath(value,"informational.fields{}"),
    alias_fields=spath(value,"identifier.fields{}"),
    entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name") 
| appendpipe 
    [| mvexpand alias_fields 
    | eval field_value = spath(value,alias_fields."{}"), field_type="alias" 
    | rename alias_fields as field_name
        ] 
| appendpipe 
    [| where isnull(field_type) 
    | mvexpand info_fields 
    | eval field_value = spath(value,info_fields."{}"), field_type="info" 
    | rename info_fields as field_name
        ] 
| where isnotnull(field_type) 
| table entity_id entity_name entity_title field_name field_value field_type

This will give you results similar to this:

danspav_1-1714348237563.png

To list the services, you can call the "getservice" custom command that comes with ITSI:

| getservice
| table title, serviceid, description, service_tags, kpis, service_depends_on, services_depending_on_me, enabled, base_service_template_id, entity_rules, *

That gives you these results:

danspav_2-1714348371312.png

 

Cheers,

Daniel

 

theprophet01
Explorer

thanks @danspav ! that is very helpful!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...