How can we help you?

What ITSI Entities Are and How to Wrangle Them

If you’ve been following along with ‘Navigating Content Packs within Splunk IT Service Intelligence’ by AC3 Cisco-Splunk Consultant Jade Bujeya, you may have come to believe that an entity is simply a server with the Windows, Linux, or VMware TA installed that is forwarding data into ITSI. But not quite.

ITSI itself doesn’t ingest data independently; it leverages the data already present in Splunk. So perhaps an entity is just a host sending data into Splunk? Still not quite.

An entity is far more straightforward as it’s simply an entry in the itsi_entities lookup table.

Getting Service and KPI entities to match up

When configuring a KPI in ITSI, it's important to understand the difference between the Entity Split Field and the Entity Filter Field.

The Entity Split Field determines how your KPI data is grouped. For example, you might calculate CPU utilization per host or per VM. Whatever field you choose becomes the entity that the KPI is measured against.

The Entity Filter Field serves a different purpose: it's how ITSI matches KPI results to the entities attached to a service. This is where many configurations fail.

The key rule is simple: The Entity Split Field can be anything, but the Entity Filter Field must contain the same field values under the same field name in both your KPI search results and your defined entities.

If they don't match, ITSI can't connect the KPI data to the service entities. The KPI may return data, but it won't be able to associate that data with your service entities.

You can even split a KPI by a field that isn't a defined ITSI entity, such as vm_name, while filtering by a host field that matches your service entities. In that case, ITSI creates pseudo-entities for the VMs while still limiting results to entities that belong to the service.

If you're ever unsure whether the matching is configured correctly, use Generate Search. “I encourage you to use the Generate Search option to see exactly what ITSI is running in order to populate you KPI. It can tell you instantly whether you’ve set this up correctly. (You may have noticed ITSI can take a few minutes to present you with pretty colours in the Service Analyzer, even when you’ve done everything right.)”

Reasons why the Entity Threshold Window might not populate

Some reasons the Entity Threshold Window might not be populating according to Jade:

• “If your KPI is not returning the _time field, ITSI can’t generate these graphs. Reworking all your | stats commands to keep it around can be a nuisance (you may want to use the | bin command to keep things sensible) but it’s the only way.”

• “Some of you might have noticed that you can add multiple Entity Split Fields. If you create pseudo-entities this way, then as of version 4.21 one of the macros that processes entities gets confused, which can also prevent the Entity Threshold Window from populating.”

Need help getting the most out of ITSI? Contact AC3 to match you with one of our Splunk specialists.