Splunk IT Service Intelligence

ITSI service autodiscovery entity filter not working when linking to service template

oshirnin
Path Finder

Hello, everybody!

I now work on ITSI service models, I want my services to be created automatically from search, based on pre-created templates and support entity filtering to simplify KPI in template. I want my service models support deep drill-down to exact problem components, I decided to make every service a separate small ITSI service, base building blocks for huge business IT services. I created the sample service models manually and I love how it looks and works.

To test service autodiscovery I have three entities named okd-node001, okd-node002 and okd-node003:

alt text

I put the following scheduled search into /opt/splunk/etc/shcluster/apps/itsi/local/inputs.conf:

[itsi_csv_import://okd-node test 01]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 01", DependentEntities = HostName | fields ServiceTitle, DependentEntities
service_enabled = 1
service_security_group = default_itsi_security_group
service_title_field = ServiceTitle
update_type = upsert

and got the expected results:

  • Three services named okd-node001 test 01, okd-node002 test 01 and okd-node003 test 01.
  • Each service is filtered on appropriate entity.

alt text

alt text

After that, I created a test service template named okd-node-template:

alt text

and the followind service discovery search:

[itsi_csv_import://okd-node test 02]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 02", DependentEntities = HostName, ServiceTemplate = "okd-node-template" | fields ServiceTitle, DependentEntities, ServiceTemplate
service_enabled = 1
service_security_group = default_itsi_security_group
service_template_field = ServiceTemplate
service_title_field = ServiceTitle
update_type = upsert

I got the following results:

  • Three services named okd-node001 test 02, okd-node002 test 02 and okd-node003 test 02, all linked to okd-node-template service template.
  • But none of the new services has entity filtering rule! So my KPIs work for all the entities in each service.

alt text

alt text

I wonder, where where am i wrong with my second query? How should I fix this to enable both linkage to service template and entity filtering rule?

0 Karma

kanwu_splunk
Splunk Employee
Splunk Employee

When you configure a service template, there is an option that you can configure to consume entity rules from the CSV import during service creation. You should enable that during the service template creation/update.
When you're importing services automatically, try to create the appropriate entity rule for that service.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...