About STancredi

STancredi · ‎03-22-2024

Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI? I recently had a significant amount of my entities retire for some reason despite the entities still sending metrics data to the metrics indexes. I do have an auto-retire policy in place, but I do not believe that any of the entities in question would not have sent data in the amount of time needed for the auto-retire policy to trigger on them. I am hoping to find a log that would help me identify when entities were retired and how they were retired, be it by the auto-retire policy or an admin making a mistake somehow.

STancredi · ‎10-04-2023

Correct, my environment is currently utilizing services. I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right now only utilizes entity_title apparently (I did not set these up) as its Entity Lookup field . I also reviewed our notable event aggregation policies and noticed that the only ones enabled reference the serviceid, but not entity_title. We're currently having alerts/episodes generated by the Splunk App for Infrastructure (for normalization) and a different aggregator. Neither show the Impacted Entities. Im guessing something isnt configured properly in either of them to have that data show; OR my entities are messed up.

STancredi · ‎10-04-2023

So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎10-04-2023

Online Status	Offline
Date Last Visited	‎03-22-2024 04:01 PM

How to know when a Splunk ITSI Entity retired

How to know when a Splunk ITSI Entity retired

Re: Why are ITSI Impacted Entities are not showing...

Re: Why are ITSI Impacted Entities are not showing...