Re: How to extract the entities in a service as a ...

raynold_peterso · ‎06-12-2018

I have been wracking my poor brain on how to extract the entities from my services in ITSI.

Here is what I want to do. I want to use my configured services and entities to create a lookup to drive my kpi adhoc searches so when and if I have to update the entities in the service the associated searches will pull the correct entities.

I may be trying to go about this the wrong way, so it you have a better suggestion then I am open for new ideas.

Thanks in advance,
Rcp

raynold_peterso · ‎06-13-2018

Something like that. I want to know what entities are in the service so I can create an adhoc job for the kpi on just those entities. From a lookup table would be ok but I'd rather have the kdi read the data directly from the configuration. That way if I add or remove entities the kpi automatically adjusts.

skoelpin · ‎06-12-2018

Are you wanting to extract the entity names? I'm assuming you want to extract the entity names and write them to a lookup table?

ronvreeken · ‎10-15-2019

Is this what you ar looking for ?

| inputlookup itsi_entities append=true
| rename services._key as service_key
| rename title as entity
| fields entity, service_key
| where isnotnull(service_key)
| mvexpand service_key
| inputlookup service_kpi_lookup append=true
| eval key=coalesce(service_key,_key)
| stats values(entity) as entity, values(title) as service by key
| mvexpand entity
| fields entity service
| sort 0 entity

How to extract the entities in a service as a lookup in ITSI

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?