Splunk ITSI

ITSI Entity alias filtering

rom1btn
Engager

Hi all,

I'm using ITSI V3.0.0, I have some strange results that I'll try to explain here.

I've got 2 entities
A

  • Info: type=application
  • alias: application_code=X

B

  • info: type=application
  • alias: foo=bar

I've linked a service with entities A & B by filtering on type=application
Splunk found both entities

I created a KPI and I moved 'Filter to Entities in Service' to 'Yes' and selected 'application_code' as the Entity Filter Field and 'application_code' as the Entity Alias Filtering.
When I look at the generated search and particularly at the rest command:
| rest splunk_server=local "/servicesNS/nobody/SA-ITOA/itoa_interface/generate_entity_filter?service_id=a967bd3c-8bec-4142-9d5e-92b8f8225e6e&entity_id_fields=application_code&entity_alias_filtering_fields=application_code&search_type=adhoc"

It returns:
application_code="X" OR application_code="bar"

It's the same when I change the 'entity_filtering_fields parameter' to 'DO_NOTHING' and it seems that this parameter is not used for filtering the alias of entities as explained in the documentation: Entity alias filtering

Can somebody confirm me this behaviour ?
Has I done something wrong ?
It sounds like an issue in that version.

Thanks

esnyder_splunk
Splunk Employee
Splunk Employee

It was discovered that entity alias filtering wasn't doing what it should have been doing, so it was removed in version 4.2.0. Please see https://docs.splunk.com/Documentation/ITSI/4.2.0/ReleaseNotes/Removedfeatures

sylbaea
Communicator

I realised yesterday I do have similar issue. Have you resolved your problem ?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...