Solved: Re: Splunk IT Service Intelligence: How to search ...

oshirnin · ‎06-10-2019

Hello, everybody!

I discovered some entities into ITSI using standard Operating System Module saved searches.
I see my entities under App: IT Service Intelligence -> Configure -> Entities.
When I click to any entity, I see its Name, Description, Aliases and some Info Fields, itsi_role among them. I wonder, how can I search for the table of all registered entities and their itsi_role? I checked | inputlookup itsi_entities but this lookup does not store Info Fields and their values.

Thank you in advance!

mperry_splunk · ‎06-19-2019

Entities and their info fields are stored in the KVSTORE. You can start with this search and modify as needed:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity
fields="_key,title,identifier,informational,identifying_name"
| eval value=spath(value,"{}")
| mvexpand value
| eval entity_title=spath(value, "title"),
entity_name=spath(value, "identifying_name"),
entity_aliases=mvzip(spath(value, "identifier.fields{}"),spath(value, "identifier.values{}"),"="),
entity_info=mvzip(spath(value, "informational.fields{}"),spath(value, "informational.values{}"),"=")

View solution in original post

mperry_splunk · ‎06-19-2019

Entities and their info fields are stored in the KVSTORE. You can start with this search and modify as needed:

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity
fields="_key,title,identifier,informational,identifying_name"
| eval value=spath(value,"{}")
| mvexpand value
| eval entity_title=spath(value, "title"),
entity_name=spath(value, "identifying_name"),
entity_aliases=mvzip(spath(value, "identifier.fields{}"),spath(value, "identifier.values{}"),"="),
entity_info=mvzip(spath(value, "informational.fields{}"),spath(value, "informational.values{}"),"=")

akheraj_splunk · ‎06-18-2020

For ITSI v4.4 and above, you'll need to add

report_as=text

to the | rest portion of the SPL.

ITSI REST API reference

oshirnin · ‎07-01-2019

@mperry_splunk, hello! Sorry for the long response time, thank you for the patience.

Thank you for the query, it gives that I wanted.

By the way, just to know, is there any way to get the same data without using REST? For me, REST is something like for remote querying. It's strange for me to see [PRE]rest splunk_server=local[/PRE]. Is rest command effective enough to query large data? Is it possible to find a definition of KVStore and query it with local commands, maybe inputlookup?

I do not have to much experience with Splunk and maybe confuse this.

mperry_splunk · ‎08-08-2019

oshirnin... as dbot2001 said, you use the REST command inside of Splunk SPL.

The way I get definitions of fields/values from the KVstore is to run the REST above and look at the contents of 'value'. This will show the KV pairs that you're looking for.

You can do the same for just about all of the ITSI REST endpoints that are in the documentation.

dbot2001 · ‎08-08-2019

The '|rest' command is part of SPL, it is a generating command. You do not need to be remote, it is used in the UI.

Splunk IT Service Intelligence: How to search for entities itsi_role and other Info Fields

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024