Getting data into ITSI

Manually create a single entity in ITSI

Create a single entity in ITSI to associate events your Splunk platform deployment receives.

For more information, see Documentation - create a single entity in ITSI.

Manually import entities from a Splunk search in ITSI

Create entities from ITSI module searches, saved searches, or ad hoc searches using indexed data coming into your Splunk platform deployment. 

ITSI uses the itsiimportobjects command to import entities from searches.

Prerequisites:

• ITSI role: You have to log in as a user with the itoa_admin or itoa_team_admin ITSI role and access to the Global team.
• Indexed data: You must have already indexed data you want to associate with entities. 

For more information, see Documentation - import entities from a search in ITSI.

Manually import entities from a CSV file in ITSI 

Importing entities from CSV files is an efficient way to define multiple entities. You can dump data from a change management database (CMDB) or asset inventory database into a CSV file and automate the import for ongoing updates.

ITSI uses the itsiimportobjects command to import entities from a CSV file. All events your Splunk platform deployment indexes from a manual entity import from a CSV file is stored in the itsi_import_objects index and each event has the itsi_import_objects:csv source type.

Prerequisites: 

• ITSI role: You have to log in as a user with the itoa_admin ITSI role.
• CSV file: You must have a CSV file that contains entity definitions. Specify column names in the first row. In each subsequent row, specify an entity title and entity type, as well as one or more entity aliases, and one or more entity information fields. To associate an entity with a service, provide a column with the name of the service. Importing from a CSV file has a limit of one service and one entity per row. There is no limit on the number of dependent services, entity aliases, or entity rule values per row. A CSV file can contain multiple rows. Importing from a CSV file supports five different separators: comma (,), semicolon (;), pipe (|), tab (\t), and caret (^). 

In this example you want to create two entities called appserver-04 and appserver-05, and associate appserver-04 with the Web A service and associate appserver-05 with the Web B service. The Web A service already exists in ITSI but the Web B service does not. The following image shows the CSV file to import:

For more information, see Documentation - import entities from a CSV file in ITSI.

After you import entities either by creating single entities or from a Splunk search, you can configure recurring imports to update existing entities and create new entities. However, you can't set up a recurring entity import from a CSV file. To configure recurring entity imports from data that's stored in a CSV file, you have to configure a universal forwarder to monitor the CSV file and send data to your Splunk platform deployment, run an entity import from a Splunk search, and configure a recurring import from the Splunk search. 

For more information, see Set up a recurring entity import from a CSV file.

You can also automatically create entities and collect data on a recurring basis with ITSI entity integrations. The integrations that are available are:

• Unix and Linux entity integration in ITSI
• Windows entity integration in ITSI
• VMware vSphere entity integration in ITSI
• Splunk Infrastructure Monitoring entity integration in ITSI

To learn more, see Overview of entity integrations in ITSI.