Splunk ITSI

How to know when a Splunk ITSI Entity retired

STancredi
Loves-to-Learn

Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI?

I recently had a significant amount of my entities retire for some reason despite the entities still sending metrics data to the metrics indexes. I do have an auto-retire policy in place, but I do not believe that any of the entities in question would not have sent data in the amount of time needed for the auto-retire policy to trigger on them. I am hoping to find a log that would help me identify when entities were retired and how they were retired, be it by the auto-retire policy or an admin making a mistake somehow.

Labels (1)
0 Karma

proyleJDS
Path Finder

You can use the rest API to find what you need

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name"),
    retired=spath(value, "retired"),
    mod_time=spath(value, "mod_timestamp")
| search retired=1
| eval epoch_time=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q")
| eval mod_time=mod_time." UTC"
| eval date_retired=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q+00:00 %Z")
| convert ctime(date_retired)
| fields entity_id entity_name date_retired
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...