Splunk IT Service Intelligence

Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

oshirnin
Path Finder

Hello, everybody!

I discovered some entities into ITSI using standard Operating System Module saved searches.
I see my entities under App: IT Service Intelligence -> Configure -> Entities.
When I click to any entity, I see its Name, Description, Aliases and some Info Fields, itsi_role among them. I wonder, how can I search for the table of all registered entities and their itsi_role? I checked | inputlookup itsi_entities but this lookup does not store Info Fields and their values.

Thank you in advance!

0 Karma
1 Solution

mperry_splunk
Splunk Employee
Splunk Employee

Entities and their info fields are stored in the KVSTORE. You can start with this search and modify as needed:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity
fields="_key,title,identifier,informational,identifying_name"
| eval value=spath(value,"{}")
| mvexpand value
| eval entity_title=spath(value, "title"),
entity_name=spath(value, "identifying_name"),
entity_aliases=mvzip(spath(value, "identifier.fields{}"),spath(value, "identifier.values{}"),"="),
entity_info=mvzip(spath(value, "informational.fields{}"),spath(value, "informational.values{}"),"=")

View solution in original post

0 Karma

mperry_splunk
Splunk Employee
Splunk Employee

Entities and their info fields are stored in the KVSTORE. You can start with this search and modify as needed:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity
fields="_key,title,identifier,informational,identifying_name"
| eval value=spath(value,"{}")
| mvexpand value
| eval entity_title=spath(value, "title"),
entity_name=spath(value, "identifying_name"),
entity_aliases=mvzip(spath(value, "identifier.fields{}"),spath(value, "identifier.values{}"),"="),
entity_info=mvzip(spath(value, "informational.fields{}"),spath(value, "informational.values{}"),"=")

View solution in original post

0 Karma

akheraj_splunk
Splunk Employee
Splunk Employee

For ITSI v4.4 and above, you'll need to add

report_as=text

to the | rest portion of the SPL.

 

ITSI REST API reference 

0 Karma

oshirnin
Path Finder

@mperry_splunk, hello! Sorry for the long response time, thank you for the patience.

Thank you for the query, it gives that I wanted.

By the way, just to know, is there any way to get the same data without using REST? For me, REST is something like for remote querying. It's strange for me to see [PRE]rest splunk_server=local[/PRE]. Is rest command effective enough to query large data? Is it possible to find a definition of KVStore and query it with local commands, maybe inputlookup?

I do not have to much experience with Splunk and maybe confuse this.

0 Karma

mperry_splunk
Splunk Employee
Splunk Employee

oshirnin... as dbot2001 said, you use the REST command inside of Splunk SPL.

The way I get definitions of fields/values from the KVstore is to run the REST above and look at the contents of 'value'. This will show the KV pairs that you're looking for.

You can do the same for just about all of the ITSI REST endpoints that are in the documentation.

0 Karma

dbot2001
Path Finder

The '|rest' command is part of SPL, it is a generating command. You do not need to be remote, it is used in the UI.

0 Karma