Splunk ITSI

ITSI how to obtain the same information found in gui for Entities and Services within a search

theprophet01
Explorer

Hello!

I would like to run a search which would display all information regarding entities and services.

For example, for Entities where could I find information stored for: Entity Description, Entity Information Field, Entity Title.

For Services, where could I find information stored for: Service Description, Service Title, Service Tags

What type of search query could I run to find this information?

Thanks,

Labels (4)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @theprophet01,

To get a summary of entities with their info tags you can run the excellent query by sandrosov_splun:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval info_fields=spath(value,"informational.fields{}"),
    alias_fields=spath(value,"identifier.fields{}"),
    entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name") 
| appendpipe 
    [| mvexpand alias_fields 
    | eval field_value = spath(value,alias_fields."{}"), field_type="alias" 
    | rename alias_fields as field_name
        ] 
| appendpipe 
    [| where isnull(field_type) 
    | mvexpand info_fields 
    | eval field_value = spath(value,info_fields."{}"), field_type="info" 
    | rename info_fields as field_name
        ] 
| where isnotnull(field_type) 
| table entity_id entity_name entity_title field_name field_value field_type

This will give you results similar to this:

danspav_1-1714348237563.png

To list the services, you can call the "getservice" custom command that comes with ITSI:

| getservice
| table title, serviceid, description, service_tags, kpis, service_depends_on, services_depending_on_me, enabled, base_service_template_id, entity_rules, *

That gives you these results:

danspav_2-1714348371312.png

 

Cheers,

Daniel

 

View solution in original post

danspav
SplunkTrust
SplunkTrust

Hi @theprophet01,

To get a summary of entities with their info tags you can run the excellent query by sandrosov_splun:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval info_fields=spath(value,"informational.fields{}"),
    alias_fields=spath(value,"identifier.fields{}"),
    entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name") 
| appendpipe 
    [| mvexpand alias_fields 
    | eval field_value = spath(value,alias_fields."{}"), field_type="alias" 
    | rename alias_fields as field_name
        ] 
| appendpipe 
    [| where isnull(field_type) 
    | mvexpand info_fields 
    | eval field_value = spath(value,info_fields."{}"), field_type="info" 
    | rename info_fields as field_name
        ] 
| where isnotnull(field_type) 
| table entity_id entity_name entity_title field_name field_value field_type

This will give you results similar to this:

danspav_1-1714348237563.png

To list the services, you can call the "getservice" custom command that comes with ITSI:

| getservice
| table title, serviceid, description, service_tags, kpis, service_depends_on, services_depending_on_me, enabled, base_service_template_id, entity_rules, *

That gives you these results:

danspav_2-1714348371312.png

 

Cheers,

Daniel

 

theprophet01
Explorer

thanks @danspav ! that is very helpful!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...