For Splunk IT Service Intelligence (ITSI) users, understanding Service Trees, Base Search and importing entities within software is one thing; but full confidence in its technicalities is another thing. Which is why AC3 Cisco-Splunk Consultant, Jade Bujeya, has dissected and simplified the core ITSI concepts that users can leverage to maximise their value from the platform.
Initially, you need the necessary background information on why you should be interested in content packs and how they’re different from standard Splunk Apps from Splunkbase.
According to Jade, the Integrations Library and GDI is a more significant starting point than looking into content packs. “At first glance, and especially if you start with the Unix and Linux integration, this might just seem like an unnecessary duplication of part of Splunkbase inside the ITSI UI. Essentially, what the Integrations Library provides is best practices for bringing data from these common sources into Splunk for use in ITSI. They’re all different, and I would encourage you to have a look at a couple even if they’re not all relevant to your use case, it will give you a sense of what your options are.”
At this stage, it’s important to remember that Content Packs and Data Integrations can make onboarding data into ITSI seem more complicated than it really is – when the reality is there’s no difference between getting data into ITSI and getting data into Splunk generally. While dedicated ITSI indexes can help, most customers eventually create custom versions that better fit their needs, and if those indexes are added to the relevant macros, everything will work as expected.
Jade also recommends doing your GDI component before working on Content Packs to ensure your data is ready for the functions within Content Packs. “Content Packs are nothing like Splunk apps. They turn up in no apps directory, do not contain an app.conf and are not available on Splunkbase. What they contain are KPI base searches, services, and service templates.”
When macros need to be changed after creating custom ITSI indexes, download your content pack of choice, then go to Configuration > Service Monitoring > KPI Base Searches.
Jade’s key tips during this phase of your ITSI journey:
Your service tree doesn’t have to look like your architecture diagrams because services don’t have to be servers. Entities typically represent tangible components like servers, websites, or firewalls, while services can represent broader business concepts such as customer satisfaction, profitability, or even an entire department. That flexibility allows ITSI to measure and visualise the health of virtually any business outcome you can define.
Take the .csv route at least once, then replicate your results using the Import from Search option. Limit yourself to two or three entities so they’re easy to delete when you’re done, and try out updating an existing entity once you’ve got a few in there.
Jade suggests taking the opportunity for future proofing when onboarding entities.
“If you’re going to be onboarding entities from your CMBD, but my humble suggestion is to build the creation of an info field, you might call it itsi_service_mapping, into your entity creation process. Data comes in from SNOW or wherever, your entity creation search finds it, extracts/looks up/defines an itsi_service_mapping field, and creates the entities with this field already populated. This means that the moment your entities spring into being, they are immediately assigned to the correct service, without any additional work from you.”
By building strong foundations around data onboarding and service design, organisations can unlock meaningful operational insights that extend well beyond traditional infrastructure monitoring. To learn more about getting the most out of Splunk ITSI, connect with experts like Jade at AC3 and explore how the right strategy can accelerate your observability journey.