Hello, everybody!
I now work on ITSI service models, I want my services to be created automatically from search, based on pre-created templates and support entity filtering to simplify KPI in template. I want my service models support deep drill-down to exact problem components, I decided to make every service a separate small ITSI service, base building blocks for huge business IT services. I created the sample service models manually and I love how it looks and works.
To test service autodiscovery I have three entities named okd-node001
, okd-node002
and okd-node003
:
I put the following scheduled search into /opt/splunk/etc/shcluster/apps/itsi/local/inputs.conf:
[itsi_csv_import://okd-node test 01]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 01", DependentEntities = HostName | fields ServiceTitle, DependentEntities
service_enabled = 1
service_security_group = default_itsi_security_group
service_title_field = ServiceTitle
update_type = upsert
and got the expected results:
okd-node001 test 01
, okd-node002 test 01
and okd-node003 test 01
.After that, I created a test service template named okd-node-template
:
and the followind service discovery search:
[itsi_csv_import://okd-node test 02]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 02", DependentEntities = HostName, ServiceTemplate = "okd-node-template" | fields ServiceTitle, DependentEntities, ServiceTemplate
service_enabled = 1
service_security_group = default_itsi_security_group
service_template_field = ServiceTemplate
service_title_field = ServiceTitle
update_type = upsert
I got the following results:
okd-node001 test 02
, okd-node002 test 02
and okd-node003 test 02
, all linked to okd-node-template
service template.I wonder, where where am i wrong with my second query? How should I fix this to enable both linkage to service template and entity filtering rule?
When you configure a service template, there is an option that you can configure to consume entity rules from the CSV import during service creation. You should enable that during the service template creation/update.
When you're importing services automatically, try to create the appropriate entity rule for that service.