Splunk ITSI

ITSI Entity import - Add your own saved search

JovanMilosevic
Path Finder

I'm trying to import entities using a search. The docs say that I can use a saved search from a predefined list. I want to save my own. I've created a saved search that suits. It doesn't appear in the drop down. I've made it global, and even added it to the SA-IOTA app (Where the predefined ones live). I've tried cloning a predefined one, and amending it. I can never get to use my search in the Entity import.

I'm working in a SHC environment, so I can't save my work as a modular input, so I thought saving my search would at least cut down on the amount of work each time I have to update Entities.

Anyone any ideas how I can add my saved searche to the list of predefined ones ?

Thanks in advance.

Tags (2)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust
0 Karma

jkat54
SplunkTrust
SplunkTrust

Did you follow "import from search" directions here?:

http://docs.splunk.com/Documentation/ITSI/2.6.0/Configure/DefineEntities

0 Karma

JovanMilosevic
Path Finder

I did.

From the docs...
Saved Searches Lets you choose from a list of pre-defined ITSI saved searches.

My question is "How do I put one of my searches into the list of pre-defined ITSI saved searches", as the current ones don't meet my needs.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Is the saved search shared in the app or private to just your user?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Oh I see what you're saying now. I'm not sure how to do that but I'll ask around.

0 Karma

jkat54
SplunkTrust
SplunkTrust

So it worked fine for me in a single instance.

I edited the Splunk\etc\apps\SA-ITOA\default\savedsearches.conf, copy and pasted an existing search, and slightly modified it. Then i restarted and it shows up under saved searches:

[IT Service Intelligence - asdfGet Windows hosts]
description             = Retrieves a list of hosts generating Windows host data
search                  = | asdfdatamodel Compute_Inventory OS search | search 
All_Inventory.tag=windows | dedup All_Inventory.dest | rename All_Inventory.dest AS dest | table dest
request.ui_dispatch_app = itsi
0 Karma

ian_thomas
Path Finder

Wondering how this would behave with a macro in place of the search in savedsearches.conf. Would allow itsi admins without CLI access to update searches.

Thoughts?

0 Karma

JovanMilosevic
Path Finder

Thanks for the steer.

I created a local directory in the SA-IOTA app on the Search Head Deployer (in $SPLUNK_HOME/etc/shcluster/apps/SA-IOTA), and placed my search savedsearches.conf in the local directory just created. This keeps our searches separate from the Splunk supplied ones, and ensures mine don't get obliterated by an upgrade. When the bundle is deployed, Splunk merges it into default on each Search Head. Job done.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I'm curious what the difference was between when you cloned it etc versus when you got it to work. Yes you should put it in local for sure. Sorry I didn't mention that. I just tested default because it was easy.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...