Overview of ITSI entity discovery searches
Splunk IT Service Intelligence (ITSI) includes saved searches that are turned on by default to discover your infrastructure's entity data.
You can find the complete list of saved searches in the Entity Discovery Searches tab on the Entity Management page, or under the [ITSI Import Objects] stanza in $SPLUNK_HOME/etc/apps/itsi/default/savedsearches.conf.
Prerequisites
You can use entity discover saved searches after having met the following prerequisites:
Update search macros
Include the index that you are sending data to as part of the itsi_im_metrics_indexes macro to use the entity discovery saved searches shipped with ITSI.
If you are using a custom saved search in ITSI, update the macro to include the index that you are sending data to. You can do this by updating your HEC token configuration to point to the correct ITSI indexes. For more information about updating your HEC tokens, see Configure the HTTP Event Collector to collect entity integration data in ITSI.
Indexed data
You have to have already indexed data you want to associate with entities.
Entity Discovery Searches reference
The following table is a list of entity discovery searches available in ITSI, and the common data sources discovered by each search:
| Saved search | Data sources | Entity type | Data integration method |
|---|---|---|---|
| ITSI Import Objects - AWS Cloudwatch EBS |
|
N/A | Splunk Add-on for AWS |
| ITSI Import Objects - AWS Cloudwatch EC2 |
|
N/A | Splunk Add-on for AWS |
| ITSI Import Objects - AWS Cloudwatch ELB |
|
N/A | Splunk Add-on for AWS |
| ITSI Import Objects - Kubernetes Node |
|
Kubernetes Node | Splunk Connect for Kubernetes |
| ITSI Import Objects - Kubernetes Pod |
|
Kubernetes Pod | Splunk Connect for Kubernetes |
| ITSI Import Objects - OS |
|
*nix | Unix and Linux Integration - Collectd |
| ITSI Import Objects - Perfmon |
|
Windows | Perfmon on Splunk Universal Forwarder |
| ITSI Import Objects - TA *Nix |
|
Unix/Linux Add-on | Unix and Linux Integration - Splunk Add-on for Unix and Linux |
| ITSI Import Objects - VMWare Cluster |
|
VMware Cluster | VMware |
| ITSI Import Objects - VMware Datastore |
|
VMware Datastore | VMware |
| ITSI Import Objects - VMware Host |
|
VMware ESXi Host | VMware |
| ITSI Import Objects - VMware VM |
|
VMware VM | VMware |
| ITSI Import Objects - VMware vCenter |
|
VMware vCenter | VMware |
Entity type to macro mapping
For ITSI and ITE Work to perform as designed, you need to modify macros for entity search from any custom metrics indexes. Use the following table as a reference for the involved entity types and macros.
| Entity type | Vital metrics macro name |
|---|---|
| *nix | itsi_entity_type_nix_metrics_indexes |
| Kubernetes Node | itsi_entity_type_k8s_node_metrics_indexes |
| Kubernetes Pod | itsi_entity_type_k8s_pod_metrics_indexes |
| Unix/Linux Add-on | itsi_entity_type_ta_nix_metrics_indexes |
| VMware Cluster | itsi_entity_type_vmware_cluster_metrics_indexes |
| VMware Datastore | itsi_entity_type_vmware_datastore_metrics_indexes |
| VMware ESXi Host | itsi_entity_type_vmware_esxihost_metrics_indexes |
| VMware vCenter | itsi_entity_type_vmware_vcenter_metrics_indexes |
| VMware VM | itsi_entity_type_vmware_vm_metrics_indexes |
| Windows | itsi_entity_type_windows_metrics_indexes |
Update an entity discovery search
You can turn a search on or off, update the query and search schedule settings, and more for each entity discovery search.
To update the searches, follow these steps:
- Navigate to Entity Management then Entity Discovery Searches.
- Select the search you want to update.
- Update the search using the different settings on the search details page. For more information, see Update an entity discovery search in ITSI.
After the searches run, your entities display on the Entity Overview page, where you can track the entity's status and investigate vital metrics. For more information, see About the Entity Overview in ITSI.