Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ITSI service autodiscovery entity filter not working when linking to service template

oshirnin
Path Finder
‎07-01-2019 07:34 AM

Hello, everybody!

I now work on ITSI service models, I want my services to be created automatically from search, based on pre-created templates and support entity filtering to simplify KPI in template. I want my service models support deep drill-down to exact problem components, I decided to make every service a separate small ITSI service, base building blocks for huge business IT services. I created the sample service models manually and I love how it looks and works.

To test service autodiscovery I have three entities named okd-node001, okd-node002 and okd-node003:

alt text

I put the following scheduled search into /opt/splunk/etc/shcluster/apps/itsi/local/inputs.conf:

[itsi_csv_import://okd-node test 01]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 01", DependentEntities = HostName | fields ServiceTitle, DependentEntities
service_enabled = 1
service_security_group = default_itsi_security_group
service_title_field = ServiceTitle
update_type = upsert

and got the expected results:

  • Three services named okd-node001 test 01, okd-node002 test 01 and okd-node003 test 01.
  • Each service is filtered on appropriate entity.

alt text

alt text

After that, I created a test service template named okd-node-template:

alt text

and the followind service discovery search:

[itsi_csv_import://okd-node test 02]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 02", DependentEntities = HostName, ServiceTemplate = "okd-node-template" | fields ServiceTitle, DependentEntities, ServiceTemplate
service_enabled = 1
service_security_group = default_itsi_security_group
service_template_field = ServiceTemplate
service_title_field = ServiceTitle
update_type = upsert

I got the following results:

  • Three services named okd-node001 test 02, okd-node002 test 02 and okd-node003 test 02, all linked to okd-node-template service template.
  • But none of the new services has entity filtering rule! So my KPIs work for all the entities in each service.

alt text

alt text

I wonder, where where am i wrong with my second query? How should I fix this to enable both linkage to service template and entity filtering rule?

0 Karma
Reply

kanwu_splunk
Splunk Employee
Splunk Employee
‎10-28-2019 12:11 PM

When you configure a service template, there is an option that you can configure to consume entity rules from the CSV import during service creation. You should enable that during the service template creation/update.
When you're importing services automatically, try to create the appropriate entity rule for that service.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...