ITSI Entity alias filtering

rom1btn · ‎04-19-2018

Hi all,

I'm using ITSI V3.0.0, I have some strange results that I'll try to explain here.

I've got 2 entities
A

Info: type=application
alias: application_code=X

B

info: type=application
alias: foo=bar

I've linked a service with entities A & B by filtering on type=application
Splunk found both entities

I created a KPI and I moved 'Filter to Entities in Service' to 'Yes' and selected 'application_code' as the Entity Filter Field and 'application_code' as the Entity Alias Filtering.
When I look at the generated search and particularly at the rest command:
| rest splunk_server=local "/servicesNS/nobody/SA-ITOA/itoa_interface/generate_entity_filter?service_id=a967bd3c-8bec-4142-9d5e-92b8f8225e6e&entity_id_fields=application_code&entity_alias_filtering_fields=application_code&search_type=adhoc"

It returns:
application_code="X" OR application_code="bar"

It's the same when I change the 'entity_filtering_fields parameter' to 'DO_NOTHING' and it seems that this parameter is not used for filtering the alias of entities as explained in the documentation: Entity alias filtering

Can somebody confirm me this behaviour ?
Has I done something wrong ?
It sounds like an issue in that version.

Thanks

esnyder_splunk · ‎10-22-2019

It was discovered that entity alias filtering wasn't doing what it should have been doing, so it was removed in version 4.2.0. Please see https://docs.splunk.com/Documentation/ITSI/4.2.0/ReleaseNotes/Removedfeatures

sylbaea · ‎05-02-2018

I realised yesterday I do have similar issue. Have you resolved your problem ?

ITSI Entity alias filtering

Using Machine Learning for Hunting Security Threats

Security Highlights | November 2022 Newsletter

Platform Highlights | November 2022 Newsletter