Splunk IT Service Intelligence
Highlighted

Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

Path Finder

Hello, everybody!

I discovered some entities into ITSI using standard Operating System Module saved searches.
I see my entities under App: IT Service Intelligence -> Configure -> Entities.
When I click to any entity, I see its Name, Description, Aliases and some Info Fields, itsirole among them. I wonder, how can I search for the table of all registered entities and their itsirole? I checked | inputlookup itsi_entities but this lookup does not store Info Fields and their values.

Thank you in advance!

0 Karma
Highlighted

Re: Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

Splunk Employee
Splunk Employee

Entities and their info fields are stored in the KVSTORE. You can start with this search and modify as needed:

| rest splunkserver=local /servicesNS/nobody/SA-ITOA/itoainterface/entity
fields="key,title,identifier,informational,identifyingname"
| eval value=spath(value,"{}")
| mvexpand value
| eval entitytitle=spath(value, "title"),
entity
name=spath(value, "identifyingname"),
entity
aliases=mvzip(spath(value, "identifier.fields{}"),spath(value, "identifier.values{}"),"="),
entity_info=mvzip(spath(value, "informational.fields{}"),spath(value, "informational.values{}"),"=")

View solution in original post

0 Karma
Highlighted

Re: Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

Path Finder

@mperry_splunk, hello! Sorry for the long response time, thank you for the patience.

Thank you for the query, it gives that I wanted.

By the way, just to know, is there any way to get the same data without using REST? For me, REST is something like for remote querying. It's strange for me to see [PRE]rest splunk_server=local[/PRE]. Is rest command effective enough to query large data? Is it possible to find a definition of KVStore and query it with local commands, maybe inputlookup?

I do not have to much experience with Splunk and maybe confuse this.

0 Karma
Highlighted

Re: Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

Explorer

The '|rest' command is part of SPL, it is a generating command. You do not need to be remote, it is used in the UI.

0 Karma
Highlighted

Re: Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

Splunk Employee
Splunk Employee

oshirnin... as dbot2001 said, you use the REST command inside of Splunk SPL.

The way I get definitions of fields/values from the KVstore is to run the REST above and look at the contents of 'value'. This will show the KV pairs that you're looking for.

You can do the same for just about all of the ITSI REST endpoints that are in the documentation.

0 Karma
Highlighted

Re: Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

Splunk Employee
Splunk Employee

For ITSI v4.4 and above, you'll need to add

report_as=text

to the | rest portion of the SPL.

 

ITSI REST API reference 

0 Karma