Getting Data In

How to Visualize Performance Metrics using IT essentials Work?

elaborateGecko
Explorer

Hello,

Thank you for taking the time to consider my question. I'm trying to visualize the health of several windows & linux systems using IT essentials work, and no matter what I do it seems like I just can't get the data to actually be read by IT essentials Work (ITEW). 

For testing purposes, I have only started with Windows machines, since I figured those would be better documented and easier. I have installed the Splunk Add on for Microsoft on both the indexer/search head as well as the client, and added the custom inputs.conf which is linked from Splunk Security Essentials App on monitoring CPU/Memory performance on remote windows systems. 

I have installed IT essentials work on my indexer/search head, and it automatically created the "itsi_im_metrics" index, which should collect the data being reported by the foreign host, and then allow ITEW to read it and visualize it, right? When I go into "indexes" on the indexer/search head, it shows that it has thousands of events within that index, and shows it was recently updated as of just a few minutes prior, so the flow it working. However this index doesn't show any events when I search for it in both the normal search & reporting search bar, as well as the ITEW search bar. 

It's obviously something stupid that I missed on my end, since I feel like it's missing one small configuration and then it will work fine, but the fact that there's no guides or videos on this practice and just some very generic documentation on ITSI/ITEW is very disappointing. 

Thank you in advance for considering and assisting me with this, and I look forward to your responses so I can resolve this issue. Any help that leads to the solution will of course be accepted and rewarded with karma for those who appreciate that. 

Thanks again

Labels (1)
0 Karma

tshah-splunk
Splunk Employee
Splunk Employee

Hey @elaborateGecko,

Can you try installing and configuring the Content Packs for ITSI/ITEW (https://splunkbase.splunk.com/app/5391)? They have multiple content packs which can be helpful for the information you are looking for. Here is the documentation link for an overview of the Content Packs - https://docs.splunk.com/Documentation/ContentPackApp/1.4.0/Overview/Overview 

For Windows data, you can configure the "Content Pack for Windows Dashboards and Reports". Installation and configuration guide for the same can be found here - https://docs.splunk.com/Documentation/CPWindowsDash/1.0.0/CP/Install 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma

elaborateGecko
Explorer

Hi @tshah-splunk , thanks for your response. 

I have since gone in and confirmed app #5341 (content packs) is installed on my SH/indexer, and I have followed the steps outlined in the link you sent, which included creating several indexes, however I still am not getting any results within ITEW.

After running the build_winfra_lookup search found within DA-ITSI-CP-windows-dashboards all the results came back as 201, which I assume is successful.

The one time I got this working before I know it had to do with entity integration, but I don't know if I ran  the ps1 script that is located within ITEW app > Configuration > data integrations > Windows infrastructure. Is this required to be able to store and monitor entities within ITEW? Is there any way to do this without running a ps1 script on endpoints that have ps1 scripts disabled?

Many thanks in advance

 

 

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...