Splunk ITSI

Question about iTSI Service Templates

brent_weaver
Builder

I am trying to find a way to create a template in iTSI that I can basically clone and change one field to make it a new service. I have all this data that is the same, with the exception of one field. My thought was to have all the common denominator stuff laid out and some way to just pass in the needed value of the delta field. Does this even make sense? I basically need to be able to iterate adding services in iTSI.

0 Karma

yannK
Splunk Employee
Splunk Employee

If you make your KPIs Shared base searches (SBS) generic enough, and put the entity logic in the services entity filters,
then you can rely on the service's templates + SBS to scale

ideally, the service template use SBS, the SBS are broad and use the "filter per entity per service"
then when you create services (or import entities in service), the KPIs will automatically run on the new list of entities.


Beware, the usual limit of entity cardinality is 10000, so if you have a SBS populating several KPI metrics, for many entities, (number of metrics * number of entities > 10000), you may want to split it in several SBS

skoelpin
SplunkTrust
SplunkTrust

Before you go down this path.. Whats the purpose of wanting to change a single field and make a new service? Are your services using base searches or adhoc?

0 Karma

brent_weaver
Builder

Some base searches some not. I am trying to avoid have to repeat myself too many times.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

So whats the purpose..

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...