Splunk ITSI

How to know when a Splunk ITSI Entity retired

STancredi
Loves-to-Learn

Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI?

I recently had a significant amount of my entities retire for some reason despite the entities still sending metrics data to the metrics indexes. I do have an auto-retire policy in place, but I do not believe that any of the entities in question would not have sent data in the amount of time needed for the auto-retire policy to trigger on them. I am hoping to find a log that would help me identify when entities were retired and how they were retired, be it by the auto-retire policy or an admin making a mistake somehow.

Labels (1)
0 Karma

proyleJDS
Path Finder

You can use the rest API to find what you need

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name"),
    retired=spath(value, "retired"),
    mod_time=spath(value, "mod_timestamp")
| search retired=1
| eval epoch_time=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q")
| eval mod_time=mod_time." UTC"
| eval date_retired=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q+00:00 %Z")
| convert ctime(date_retired)
| fields entity_id entity_name date_retired
0 Karma
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...