I'm using ITSI V3.0.0, I have some strange results that I'll try to explain here.
I've got 2 entities
I've linked a service with entities A & B by filtering on type=application
Splunk found both entities
I created a KPI and I moved 'Filter to Entities in Service' to 'Yes' and selected 'application_code' as the Entity Filter Field and 'application_code' as the Entity Alias Filtering.
When I look at the generated search and particularly at the rest command:
| rest splunk_server=local "/servicesNS/nobody/SA-ITOA/itoa_interface/generate_entity_filter?service_id=a967bd3c-8bec-4142-9d5e-92b8f8225e6e&entity_id_fields=application_code&entity_alias_filtering_fields=application_code&search_type=adhoc"
application_code="X" OR application_code="bar"
It's the same when I change the 'entity_filtering_fields parameter' to 'DO_NOTHING' and it seems that this parameter is not used for filtering the alias of entities as explained in the documentation: Entity alias filtering
Can somebody confirm me this behaviour ?
Has I done something wrong ?
It sounds like an issue in that version.
It was discovered that entity alias filtering wasn't doing what it should have been doing, so it was removed in version 4.2.0. Please see https://docs.splunk.com/Documentation/ITSI/4.2.0/ReleaseNotes/Removedfeatures