Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ITSI Entity alias filtering

rom1btn
Engager
‎04-19-2018 06:05 AM

Hi all,

I'm using ITSI V3.0.0, I have some strange results that I'll try to explain here.

I've got 2 entities
A

  • Info: type=application
  • alias: application_code=X

B

  • info: type=application
  • alias: foo=bar

I've linked a service with entities A & B by filtering on type=application
Splunk found both entities

I created a KPI and I moved 'Filter to Entities in Service' to 'Yes' and selected 'application_code' as the Entity Filter Field and 'application_code' as the Entity Alias Filtering.
When I look at the generated search and particularly at the rest command:
| rest splunk_server=local "/servicesNS/nobody/SA-ITOA/itoa_interface/generate_entity_filter?service_id=a967bd3c-8bec-4142-9d5e-92b8f8225e6e&entity_id_fields=application_code&entity_alias_filtering_fields=application_code&search_type=adhoc"

It returns:
application_code="X" OR application_code="bar"

It's the same when I change the 'entity_filtering_fields parameter' to 'DO_NOTHING' and it seems that this parameter is not used for filtering the alias of entities as explained in the documentation: Entity alias filtering

Can somebody confirm me this behaviour ?
Has I done something wrong ?
It sounds like an issue in that version.

Thanks

Reply

esnyder_splunk
Splunk Employee
Splunk Employee
‎10-22-2019 03:52 PM

It was discovered that entity alias filtering wasn't doing what it should have been doing, so it was removed in version 4.2.0. Please see https://docs.splunk.com/Documentation/ITSI/4.2.0/ReleaseNotes/Removedfeatures

Reply

sylbaea
Communicator
‎05-02-2018 07:19 PM

I realised yesterday I do have similar issue. Have you resolved your problem ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...