I'm back to creating services in ITSI and finding that using something other than an alias in an Entity Filter Field does not work.
For example: I create a new Service to look at IIS logs. As the server hosts multiple sites my service contains two entity rules: (the entity has been setup with the server name as alias and a 'site' info tag listing all it's sites - separated by commas). So I can filter the service like so:
Then I went on to create a KPI which tries to count the number of 400 errors in the IIS logs, via an Ad Hoc Search:
eventtype=microsoft_iis_web host=server1 | eval 4xx_error=if(status>=400 AND status<500, status, null())
I then attempt to 'split by entity' - 'uri_path' (which is a field the above search query will return) and Filter by Entities in Service by setting the Entity Filter Field to 'site':
This never finds anything! However if I filter by host it does work. If I open the Generated Search and run just the 'generate_entity_filter' search this always returns `no_entities_matched` unless the Entity Filter Field is configured to host (which is the entities alias).
Am I coming up against a bug here (I am using an ancient version of ITSI)? Or is this by design? Or am I doing something wrong?
Thanks!
Hi!
Yes that's the correct behaviour imo. You could split by uri_path using pseudo entities but not use the entity filter on these.
To use the entity filters I would suggest to create new entities with aliases based on your data. For example:
entity_title: uri_path
uri_path: "splunk.com/home"
site: "splunk"
env: "prod"
is_active: "1"
etc
Note that if you have 50K results from you KPI base search you can hit some default limits.
/Seb