itsi_entity_type.conf
The following are the spec and example files for itsi_entity_type.conf
.
itsi_entity_type.conf.spec
# This file contains possible settings you can use to upload sample
# entity types to the KV store.
#
# An entity type defines how to classify a type of data source.
# For example, you can create a Windows, Kubernetes, or VMware vCenter Server entity type.
# An entity type can include zero or more entity data drilldowns and zero or more entity data dashboards.
#
# There is an itsi_entity_type.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default. To set custom
# configurations, place an itsi_entity_type.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local.
# You must restart ITSI to enable new configurations.
#
# To learn more about configuration files (including precedence), see the
# documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles.
[<name>]
title = <string>
* Required
* Title of the entity type.
description = <string>
* Description of the entity type.
dashboard_drilldowns = <json array>
* Required. If no value empty list
* A list of dashboard drilldowns that entities of this class can use to associate with raw data.
* A single dashbobard drilldown JSON object contains the following fields
{
"title": <string>
* Usage:
* Required
* The title of the dashboard.
"id" = <string>
* Usage:
* Required
* A unique ID for the dashboard drilldown.
"is_splunk_dashboard" = <boolean>
* Usage:
* Required
* A flag to determine whether the dashboard drilldown is saved as a navigation or a splunk dashboard.
"base_url": <string>
* Usage:
* An internal or external URL pointing to the dashboard.
"params": <json>
* Usage:
* Contains two fields: 'alias_param_map' and 'static_params'.
* 'alias_param_map' is a mapping of a URL parameter and its alias.
* 'static_params' are parameters with a defined value.
* Example:
{
"static_params": {
"start_time": "-12h",
},
"alias_param_map": [
{
"alias": "host",
"param": "node"
}
]
}
}
data_drilldowns = <json array>
* A list of data drilldowns that entities of this class can use to populate pre-built dashboards.
* A single data drilldown JSON object contains the following fields
{
"title": <string>
* Usage:
* Required
* The title of the entity data drilldown.
"type": <metrics|events>
* Usage:
* Required
* The type of indexed data that this drilldown is associated with.
* Must be either "metrics" or "events".
"static_filter": <json>
* Usage:
* An SPL filter represented by a JSON structure following a defined schema.
* The static filter finds a subset of indexed data that is associated with
this entity data drilldown.
* There are two types of filters for a static_filter:
1. Basic filter - fields including:
- type: One of "include" or "exclude"
- field: The field name in raw data
- values: A list of values for "field" to filter on
2. Boolean filter - fields including:
- type: One of "or" or "and"
- filters: A list of filters in the shape of a basic filter or boolean filter
* The following example filter is equivalent to "sourcetype=access_logs AND index=main":
{ \
"type": "and", \
"filters": [ \
{ \
"type": "include", \
"field": "sourcetype", \
"values": ["access_logs"] \
}, \
{ \
"type": "include", \
"field": "index", \
"values": ["main"] \
} \
] \
}
"entity_field_filter": <json>
* Usage:
* Specifies what field (info or alias) of an entity to apply
to further filter down the indexed data.
* There are two types of filters for an entity_field_filter:
1. Entity field filter - fields including:
- type: Must be "entity"
- data_field: The field name in raw data
- entity_field: The field of an entity whose value will be used to filter on raw data with "data_field"
2. Boolean filter - fields including:
- type: One of "or" or "and"
- filters: A list of filters in the shape of a entity field filter or boolean filter
* Example:
{ \
"type": "or", \
"filters": [ \
{ \
"type": "entity", \
"data_field": "src", \
"entity_field": "ip" \
}, \
{ \
"type": "entity", \
"data_field": "dest", \
"entity_field": "ip" \
} \
] \
}
* For an entity with "ip=1.2.3.4", this is equivalent to "src=1.2.3.4 OR dest=1.2.3.4".
* Combined with the static filter example above, the final filter of this entity data drilldown
is equivalent to "(sourcetype=access_logs AND index=main) AND (src=1.2.3.4 OR dest=1.2.3.4)"
}
vital_metrics = <json array>
* Optional
* A list of vital metrics that entities of this class are associated with.
{
"metric_name": <string>
* Usage:
* Required
* The name of the metric.
"search" = <string>
* Usage:
* Required
* SPL to find this metric.
"split_by_fields": <array>
* Usage:
* Required
* An array of fields used to split the results to entities.
"matching_entity_fields": <array>
* Usage:
* Required
* The fields used to look up entities from the KV store.
* Example: split_by_fields=[id,name], matching_entity_fields=[id,host]
* Raw event "id" field maps to "id" field of entity, and "name" field maps to "host" field
"is_key": <boolean>
* Usage:
* Optional
* If "true", this metric is used as a key metric for this entity type in the Infrastructure Overview.
* Default: false
"unit": <string>
* Usage:
* Optional
* The unit for the metric.
}
_immutable = <boolean>
* Required
* Whether you can edit or delete the entity data drilldown.
* If "true", you can't edit or delete the entity data drilldown.
* If "false", you can edit or delete the entity data drilldown.
* Default: false
itsi_entity_type.conf.example
No example