Splunk ITSI

Splunk IT Service Intelligence: When does entity to service binding occur?

sail4lot
Path Finder

Hi-
I have services with entity rules defined. I then have regularly occurring entity imports that find new entities that could match these rules. When I look at the service configuration, the entities I expect show up based on the rules. When I look at the entity in the entity listing, there is no service binding (service name) listed on that page. In some cases if I leave it overnight the binding is made, but this does not occur reliably.

Can anyone explain when entities are "associated" to services by ITSI? Is this something that happens on a scheduled basis? Is there a reason, possibly that despite correct rules I am not getting entities to associate properly?

Thanks.

0 Karma
1 Solution

jshih_splunk
Splunk Employee
Splunk Employee

Entity association (to services) mainly occurs when you define entity rules on the Service Definition page. When you create entity rules and find the entities that match the filters set, the process of saving the service will create the association. This should then be visible on the Entity lister page under the mentioned "Associated Services" tab.

Further, when you manually create individual entities or bulk create entities through import, ITSI will go through each service and see if the newly created entity(ies) match any current service-entity rules. If the new entity(ies) match an entity rule, ITSI should link the entity to the service.

View solution in original post

0 Karma

jshih_splunk
Splunk Employee
Splunk Employee

Entity association (to services) mainly occurs when you define entity rules on the Service Definition page. When you create entity rules and find the entities that match the filters set, the process of saving the service will create the association. This should then be visible on the Entity lister page under the mentioned "Associated Services" tab.

Further, when you manually create individual entities or bulk create entities through import, ITSI will go through each service and see if the newly created entity(ies) match any current service-entity rules. If the new entity(ies) match an entity rule, ITSI should link the entity to the service.

0 Karma

sail4lot
Path Finder

Thanks @jshih_splunk . What I learned at .conf this year was a WHOLE lot about the itsi_refresh_queue. and itsi_consumer processes. This is really the root of the issue were were seeing. When defining and saving services with the entity filter, we were not seeing the association in the entity list immediately. In addition, we would get some odd results for KPIs, in that they included all entities for the whole service. As I now understand it, the refresh_queue and what's in there drives these associations. In our environment, a large delete or service creation would fill this queue up substantially and take a very long time to get worked off.... resulting in the associations not showing up in a timely manner.

To fix this, we started added itsi_consumer processes in the inputs page. We are on a pretty beefy server and not currently in a SHC for ITSI. The additional consumer processes (75 believe it or not) we spun up resulted in that queue getting worked off faster.

If that's not advised or if there are considerations with that type of setup that we should be aware of, let me know!

sail4lot
Path Finder

To clarify....

On the entities page, there is an Associated Service column. Most of my entities have an association to a service. Does anyone know how or when this occurs? I did not specify the association manually (other than via entity filters in the service definition).

Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...