An entity is an IT infrastructure component, such as:
Each entity has specific attributes and relationships to other IT processes that uniquely identify it. For example, a server that you define as an entity can have multiple IP addresses, MAC addresses, DNS names, and so on.
Meanwhile, KPIs help you monitor the status of these various IT components by monitoring performance metrics, such as CPU load percentage, memory used percentage, response time, and so on.
For information about key ITSI concept, like entities and KPIs, see: https://docs.splunk.com/Documentation/ITSI/latest/Configure/KeyConcepts
For information about the entity split field, see: https://docs.splunk.com/Documentation/ITSI/latest/Configure/AddKPIs#Step_3:_Filter_entities
Entities are an abstract layer to identify an asset.
By example an entity could be as basic as a host, but could also be used for a cpu core#, or an application on a server ...
An entity is defined by alias fields (unique fields values, like a host or a vm id), or info fields (can be the same for several entities, like a datacenter location, a service role ...)
in ITSI the entities are used for 2 things :
- group entities in a service, using a filter, or a direct link.
- for the KPIs in a service
in KPI :
- you can ask to filter to only the entities in the service, or not (optional)
- you can also ask do to a split by of the metrics, to get the detail per entity. (optional)
For the split by
- if you are use a field (alias/info) to do the entity split by, then it will refer to a real entity
- but you could also use a split by field that is not specific to a real entity, we will then say that you are creating "pseudo entities", that only exits in the KPI metrics results (by example do a split by process when you do not use this field for entities)