Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Services Cannot Entity Filter by Anything Other than Alias?

eddieddieddie
Path Finder
‎06-13-2023 05:47 PM

I'm back to creating services in ITSI and finding that using something other than an alias in an Entity Filter Field does not work.

For example: I create a new Service to look at IIS logs. As the server hosts multiple sites my service contains two entity rules: (the entity has been setup with the server name as alias and a 'site' info tag listing all it's sites - separated by commas). So I can filter the service like so:

eddieddieddie_0-1686702819502.png

Then I went on to create a KPI which tries to count the number of 400 errors in the IIS logs, via an Ad Hoc Search:
eventtype=microsoft_iis_web host=server1 | eval 4xx_error=if(status>=400 AND status<500, status, null())

I then attempt to 'split by entity' - 'uri_path' (which is a field the above search query will return) and Filter by Entities in Service by setting the Entity Filter Field to 'site':

eddieddieddie_1-1686703103405.png

This never finds anything! However if I filter by host it does work. If I open the Generated Search and run just the 'generate_entity_filter' search this always returns `no_entities_matched` unless the Entity Filter Field is configured to host (which is the entities alias).

Am I coming up against a bug here (I am using an ancient version of ITSI)? Or is this by design? Or am I doing something wrong?

Thanks!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎06-28-2023 09:47 AM

Hi!

 

Yes that's the correct behaviour imo. You could split by uri_path using pseudo entities but not use the entity filter on these. 

To use the entity filters I would suggest to create new entities with aliases based on your data. For example:

 

entity_title: uri_path
uri_path: "splunk.com/home"
site: "splunk"
env: "prod"
is_active: "1"
etc

 

 

Note that if you have 50K results from you KPI base search you can hit some default limits. 

 

/Seb 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...