Splunk ITSI

How to know when a Splunk ITSI Entity retired

STancredi
Loves-to-Learn

Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI?

I recently had a significant amount of my entities retire for some reason despite the entities still sending metrics data to the metrics indexes. I do have an auto-retire policy in place, but I do not believe that any of the entities in question would not have sent data in the amount of time needed for the auto-retire policy to trigger on them. I am hoping to find a log that would help me identify when entities were retired and how they were retired, be it by the auto-retire policy or an admin making a mistake somehow.

Labels (1)
0 Karma

proyleJDS
Path Finder

You can use the rest API to find what you need

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name"),
    retired=spath(value, "retired"),
    mod_time=spath(value, "mod_timestamp")
| search retired=1
| eval epoch_time=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q")
| eval mod_time=mod_time." UTC"
| eval date_retired=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q+00:00 %Z")
| convert ctime(date_retired)
| fields entity_id entity_name date_retired
0 Karma
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...