Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ITSI - exclusion of an entity from a service

ayomotukoya
Explorer
‎04-10-2025 12:17 PM

We have a service for a location 102. we preface entities that correlate with that service with a 102 in their entity name for example a location 102 entity can be name "102AP_M1" for an AP, the number before the device type is the location "102" in this instance. We use the aliases entity_name and name to map entities to this alias. Due to our bad naming conventions we have another entity named "100AP_M102" that is showing up as an entity mapped to service 102. I put in an alias of "name NOT 100AP_M102" but this didnt remove the entity from this service. I tried similar aliases but no luck. 

 

We use a base search to identify these APs and dont want to remove this base search because there are other dependencies. Any ideas on how to get this AP off this service?

Labels (2)
Labels
0 Karma
Reply

skramp
SplunkTrust
SplunkTrust
‎04-29-2025 12:02 AM

Yes, you should edit your Entity Search by implementing a new Info field like "location" which is filled ie by rex.

0 Karma
Reply

Esky73
Builder
‎04-10-2025 03:10 PM

Can you add an information field to the entity you don't want in the service and then add an exclusion for that information field in the entity filter?

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...