Splunk ITSI

How to know when a Splunk ITSI Entity retired

STancredi
Loves-to-Learn

Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI?

I recently had a significant amount of my entities retire for some reason despite the entities still sending metrics data to the metrics indexes. I do have an auto-retire policy in place, but I do not believe that any of the entities in question would not have sent data in the amount of time needed for the auto-retire policy to trigger on them. I am hoping to find a log that would help me identify when entities were retired and how they were retired, be it by the auto-retire policy or an admin making a mistake somehow.

Labels (1)
0 Karma

proyleJDS
Path Finder

You can use the rest API to find what you need

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
| eval value=spath(value,"{}") 
| mvexpand value 
| eval entity_id=spath(value, "_key"),
    entity_title=spath(value, "title"),
    entity_name=spath(value, "identifying_name"),
    retired=spath(value, "retired"),
    mod_time=spath(value, "mod_timestamp")
| search retired=1
| eval epoch_time=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q")
| eval mod_time=mod_time." UTC"
| eval date_retired=strptime(mod_time,"%Y-%m-%dT%H:%M:%S.%6Q+00:00 %Z")
| convert ctime(date_retired)
| fields entity_id entity_name date_retired
0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...