Splunk ITSI
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ITSI query to generate a list of Services with their associated entities and alerts

theprophet01
Explorer
‎04-15-2024 02:14 PM

Hello Fellow Splunkers,

I'm fairly new to ITSI and was wondering if this could be achieved. I 'm looking to create a report which would allow me to list all Services I have in ITSI along with their associated entities as well as list associated alerts or severity. Is there a query that could achieve this? any pointers are very much appreciated! Also any pointers where I could potentially find the data and bring it together in a search would be very helpful too.

Thanks!

Labels (2)
Labels
0 Karma
Reply

skramp
SplunkTrust
SplunkTrust
‎09-12-2024 12:24 AM

maybe |getservice can also help 😉

|getservice

  

0 Karma
Reply

proyleJDS
Path Finder
‎08-05-2024 04:06 PM

This search should give you a start on what you need

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/service report_as=text filter="{\"enabled\":1}" 
| eval services_as_json=spath(value,"{}") 
| fields services_as_json 
| mvexpand services_as_json
| eval kpis_as_json=spath(services_as_json, "kpis{}") 
| fields - services_as_json 
| mvexpand kpis_as_json 
| spath input=kpis_as_json 
| fields - kpis_as_json 
| rename key as kpiid
| search service_title!="ServiceHealthScore"
| eval search = if(isnotnull(base_search_id),"",base_search) 
| search "aggregate_thresholds.thresholdLevels{}.severityLabel"!="" "aggregate_thresholds.thresholdLevels{}.thresholdValue"!=""
| rename service_title as Service "aggregate_thresholds.baseSeverityLabel" as "Base Threshold" "aggregate_thresholds.thresholdLevels{}.severityLabel" as "Thresholds" "aggregate_thresholds.thresholdLevels{}.thresholdValue" as "Threshold Values" title as KPI description as Description unit as Unit urgency as "Importance Score"
| table Service KPI Description "Base Threshold" Thresholds "Threshold Values" "Importance Score"
| join type=outer Service
    [| inputlookup itsi_entities
| fields services._key title
| rename services._key as services title as host
| mvexpand services
| lookup service_kpi_lookup _key as services
| stats list(host) as host by title
    | eval host=mvjoin(host, ",")
| rename title as Service]
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top