Maintaining service entities
This task involves the maintenance of service entities to ensure that the entity state presented in Splunk ITSI (ITSI) accurately reflects the service entity state of the business and can support the good function of ITSI.
This article is part of the Splunk ITSI Owner's Manual, which describes the recommended ongoing maintenance tasks that the owner of an ITSI implementation should ensure are performed to keep their implementation functional. To see more maintenance tasks, click here to see the complete manual.
Why is this important?
ITSI relies on accurate entity information to create a topology map of the IT environment. This map helps in rationalizing the relationships and dependencies between different components of the IT infrastructure. With an accurate entity list, ITSI can represent how various services, applications, and infrastructure components are interconnected as well as catalog relevant information for each entity to aid in incident identification and response.
If the entity information in ITSI is inaccurate, either due to duplicate entities being present or the entity information itself being incorrect, the insights and correlation provided by ITSI can be compromised, leading to inaccurate KPI reporting and missed incident identification. Duplicate entities in particular can cause issues as they compromise the accuracy of KPIs for services and can cause logs to be misattributed to incorrect services.
Schedule
Every month
Prerequisites
- Appropriate search access to the underlying Splunk environment is required to perform this activity.
- This procedure requires admin access to ITSI.
Notes and warnings
- Caution is required when deleting or retiring duplicate entities so as not to cause disruption to any services or KPIs that are utilizing the entities in question. Always review entity deletion with the relevant service owners before it is performed.
- There are several reasons that duplicate entities might be created in an ITSI deployment. Unless the underlying cause of duplicate entities being created is resolved, ITSI will continue to experience duplicate entity creation issues. Potential causes of duplicate entity creation can include:
- Overlapping entity discovery searches with different merge/conflict resolution fields
- Incorrect manual entity data load
- Manual creation of individual entities without appropriate checks
- If duplicate entities are identified in an ITSI implementation that uses entity discovery searches, you must investigate entity discovery searches to resolve the root cause of the duplicate entity creation. If assistance is required with this activity, please reach out to your account team to arrange professional services support.
Procedure
- In the top left corner of the screen, click the Splunk logo.
- On the left-hand side of the screen, select IT Service Intelligence.
- In the menu at the top of the page, click Search.
- Copy the following search into the search bar and and press Enter to run the search:
| inputlookup itsi_entities | stats values(identifier.values) AS aliases BY title | eval comparator=lower(mvjoin(aliases, ", ")) | stats count(title) AS entities values(title) AS entity_names values(aliases) AS shared_aliases BY comparator | where entities>1 | fields - comparator | rename entities AS "Duplicate Entities" entity_names AS "Entity Names" shared_aliases AS "Shared alias collection"
- Review the search results from this search. Each line represents a collection of entities that have precisely the same aliases shared between them. These entities are candidates for consolidation.
- In the menu at the top of the page, select Configuration and then open the Entity Management page from the subsequent dropdown menu in a new browser tab.
- On the Entity Management page in the new browser tab, click Advanced Filter next to the filter box at the top of the table. Then, click the + Add Set of Rules (OR) option to add a blank filter box.
- Navigate back to the browser tab with the previous search results and perform the following actions for each line in those search results:
- For each line in the Shared alias collection field in the search results, select that alias type in a filter box on the Entity Management page. Click + Add Rule (AND) at the bottom of the filter section to add more filter boxes as required.
- After you have all alias field names transposed to filters on the Entity Management page, copy the corresponding alias values into the second field on each corresponding filter. After these steps are complete, the filter boxes on the entity management page should match the alias key value pairs in the search results for this set of entities.
- The table at the bottom of the Entity Management page will now list all entities that share this exact set of alias values.
- Consolidate these entities into one entity or update their aliases to remove the duplication. If you are unsure of the best steps for resolution, contact your Splunk account team and engage professional services to assist.
- Repeat this for each set of duplicate entities identified in the search results.
More information on entity management can be found in the ITSI Entity Integrations Manual in the Splunk docs portal.
Next steps
These resources might help you understand and implement this guidance:
- Splunk Docs: Entity integrations manual