Hello, everybody!
I now work on ITSI service models, I want my services to be created automatically from search, based on pre-created templates and support entity filtering to simplify KPI in template. I want my service models support deep drill-down to exact problem components, I decided to make every service a separate small ITSI service, base building blocks for huge business IT services. I created the sample service models manually and I love how it looks and works.
To test service autodiscovery I have three entities named okd-node001, okd-node002 and okd-node003:
I put the following scheduled search into /opt/splunk/etc/shcluster/apps/itsi/local/inputs.conf:
[itsi_csv_import://okd-node test 01]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 01", DependentEntities = HostName | fields ServiceTitle, DependentEntities
service_enabled = 1
service_security_group = default_itsi_security_group
service_title_field = ServiceTitle
update_type = upsert
and got the expected results:
- Three services named
okd-node001 test 01,okd-node002 test 01andokd-node003 test 01. - Each service is filtered on appropriate entity.
After that, I created a test service template named okd-node-template:
and the followind service discovery search:
[itsi_csv_import://okd-node test 02]
log_level = INFO
disabled = False
backfill_enabled = 0
entity_title_field = DependentEntities
import_from_search = true
index_earliest = -15m
index_latest = now
interval = */15 * * * *
search_string = | inputlookup itsi_entities | rename title as HostName | search HostName="okd-node*" | eval ServiceTitle = HostName." test 02", DependentEntities = HostName, ServiceTemplate = "okd-node-template" | fields ServiceTitle, DependentEntities, ServiceTemplate
service_enabled = 1
service_security_group = default_itsi_security_group
service_template_field = ServiceTemplate
service_title_field = ServiceTitle
update_type = upsert
I got the following results:
- Three services named
okd-node001 test 02,okd-node002 test 02andokd-node003 test 02, all linked tookd-node-templateservice template. - But none of the new services has entity filtering rule! So my KPIs work for all the entities in each service.
I wonder, where where am i wrong with my second query? How should I fix this to enable both linkage to service template and entity filtering rule?
