Skip to main content
Splunk Lantern

Getting data into ITSI

 

Splunk IT Service Intelligence (ITSI) is a premium analytics and IT management solution that correlates and applies machine learning to data for service insights and event analytics capabilities. ITSI enables you to be a manager of managers by allowing your teams to detect, respond and resolve incidents all from one place — helping to predict and prevent incidents before they happen and impact customers.

Here is a high-level view of Splunk ITSI and its key capabilities:

Screen Shot 2021-09-07 at 12.33.08 PM.png

Getting Data In

There are two ways to get data into ITSI: entities and content packs.

Entities & Entity Integration

Entities and entity integrations are used to collect and aggregate data into Splunk ITSI. Data is collected into what we call Entities – you could define entities any way that fits your needs, but this usually includes data from servers, DNS groups, firewalls, or other devices. Data can be metrics, logs, traces - anything that helps you gain better visibility into the health of the services you are responsible for. Data is streamed and collected from native systems or management/monitoring tools like Splunk Infrastructure Monitoring. 

All entities exist in the Global team and can be created in a few ways: 

Manually create a single entity in ITSI

Create a single entity in ITSI to associate events your Splunk platform deployment receives.

You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role. 

For more information, see Documentation - create a single entity in ITSI.

Manually import entities from a Splunk search in ITSI

Create entities from ITSI module searches, saved searches, or ad hoc searches using indexed data coming into your Splunk platform deployment. 

ITSI uses the itsiimportobjects command to import entities from searches.

You can import a maximum of 50,000 entities at a time in ITSI. If you attempt to import more than 50,000 entities, only the first 50,000 are imported.

Prerequisites:

  • ITSI role: You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role and access to the Global team.
  • Indexed data: You must have already indexed data you want to associate with entities. 

For more information, see Documentation - import entities from a search in ITSI.

Manually import entities from a CSV file in ITSI 

Importing entities from CSV files is an efficient way to define multiple entities. You can dump data from a change management database (CMDB) or asset inventory database into a CSV file and automate the import for ongoing updates.

ITSI uses the itsiimportobjects command to import entities from a CSV file. All events your Splunk platform deployment indexes from a manual entity import from a CSV file is stored in the itsi_import_objects index and each event has the itsi_import_objects:csv source type.

You can import a maximum of 50,000 entities at a time in ITSI. If you attempt to import more than 50,000 entities, only the first 50,000 are imported.

Prerequisites: 

  • ITSI role: You have to log in as a user with the itoa_admin ITSI role.
  • CSV file: You must have a CSV file that contains entity definitions. Specify column names in the first row. In each subsequent row, specify an entity title and entity type, as well as one or more entity aliases, and one or more entity information fields. To associate an entity with a service, provide a column with the name of the service. Importing from a CSV file has a limit of one service and one entity per row. There is no limit on the number of dependent services, entity aliases, or entity rule values per row. A CSV file can contain multiple rows. Importing from a CSV file supports five different separators: comma (,), semicolon (;), pipe (|), tab (\t), and caret (^). 

In this example you want to create two entities called appserver-04 and appserver-05, and associate appserver-04 with the Web A service and associate appserver-05 with the Web B service. The Web A service already exists in ITSI but the Web B service does not. The following image shows the CSV file to import:

For more information, see Documentation - import entities from a CSV file in ITSI.

After you import entities either by creating single entities or from a Splunk search, you can configure recurring imports to update existing entities and create new entities. However, you can't set up a recurring entity import from a CSV file. To configure recurring entity imports from data that's stored in a CSV file, you have to configure a universal forwarder to monitor the CSV file and send data to your Splunk platform deployment, run an entity import from a Splunk search, and configure a recurring import from the Splunk search. 

For more information, see Set up a recurring entity import from a CSV file.

You can also automatically create entities and collect data on a recurring basis with ITSI entity integrations. The integrations that are available are:

To learn more, see Overview of entity integrations in ITSI.

Content Packs & Splunk App for Content Packs 

Content packs are individual preconfigured packs that provide capabilities for a specific use case. They can be installed directly within ITSI. Many content packs include service templates, so you can easily link one of your existing services to predetermined key performance indicators (KPIs), allowing you to get up and run faster and easier. 

Splunk App for Content Packs is a free application for ITSI (version 4.9 and later) that acts as a one-stop shop for content packs, and out-of-the-box searches and dashboards for common IT infrastructure monitoring sources. With this app, you no longer need to use the backup/restore functionality to install content packs. Instead, the app contains a library of readily updated content packs and is used to update all of them, rather than individually updating each content pack. 

The easiest way to onboard your data into Splunk ITSI is through content packs available on the Splunk App for Content Packs.  

Prerequisite: You must have command-line access and Splunk admin access to an ITSI v4.9 or later instance. 

  1. Download the Splunk App for Content Packs on Splunkbase.
  2. Install the app per the instructions on the Splunk Docs page.
  3. Go to Configuration > Data Integrations to see the available content packs.

Make sure to install the associated Add-On for the Content Pack you downloaded! For example, there is a corresponding Unix and Linux Add-On that works with the Monitoring Unix and Linux content pack.

For more information regarding: how to install the Splunk App for Content Packs on a Splunk Cloud Platform or on-premises environments, how to install content packs for ITSI version 4.8.x and below, and to see a list of available content packs, see the Splunk Content Packs Manual.