![]() OR if you have info from a cmdb you can create a lookup. For instance, if you have a host naming convention on something like this CHDBBNK3455 where the first two characters are the location (Chicago), the 2nd two are the role (Database), the 3rd are the apps it serves or service (Banking) you can regex those into new fields and create a lookup. If instead you create enrichment fields that you can then filter by, then membership becomes dynamic. If you use only a host name or even an alias with the combo of a host and something else, you move towards 'static' membership. Best practice, if you are measuring the same thing on 5 hosts that serve the same purpose (app servers, web servers, databases, or business service) that is one service.įor entities and entity filtering you always want to try and filter by something other than a host name. This allows them to see just what they care about without you breaking a service apart to accomodate how they work. Instead of dragging over a KPI that may have entities they don't care about, instead write a search pulling from itsi_summary index and filter to the entities you do care about. Personally I like Glass tables because you can create boxes and show whatever you want based on a splunk search. You can still give them a view of their own stuff either through a Glass Table OR you can create views in Service Analyzer, Deep Dives or Episodes. Best practice, don't create services based on how people work, create them based on their dependency of the components. I understand groups want their 'stuff' separate from others BUT this doesn't mean you have to create separate services. I should also then always include "eval tmpentity=." in my base KPI searches.In my service definition / entity associations, I will then always use tmpentity field for filtering.should I do eval tmpentity=if(host="web-host", "web01", host)? what about the OS log, where entity is called "web-host" in the "host" field.so for the web log, tmpentity=host will suffice.eval tmpentity=, and use tmpentity will be used as the conflict resolution field.For importing entities from any other data sources, if I decide that they should be just referring to and enriching an existing entity, instead of creating a different entity, I would:.I created previously at least 1 entity per forwarder instance with Title->, instead in my entity importing search, I should add a tmpentity field- eval tmpentity=hostname and make tmpentity the Title, and also include tmpentity as part of the alias fields.* Let me apply your strategy of unifying entities that applies to my case, please correct me if I'm wrong: My question is when you would go with treating potential entities from different sources as being essential one entity and when you will separate them? See this: for an example that can lead to 2 entities with the same title, e.g 2 servers with the same host name on different data centers. That's why it is Theoretically possible to have 2 entities with the same title. I remember being taught the natural business key of an entity is the combinations of title+alias+information. * Let's go with 1 service for a simplified case. In your experience, when would you go with multiple services with dependencies between them? They demand clear delineation of "their stuff". The OS team or WEB team is completely separate from each other. ![]() I proposed multiple services because of some other reasons. I agree for something this simple, 1 service with multiple KPIs should suffice. Thanks! Let me try to understand what you said. Or should I somehow normalize the data such that there is only 1 entity. Should I have created 2 other entities with different aliases? That is the second one E2 which has alias "hostname=web01" and E3 which has alias "host=web-host".Ģ. My question is what is best practices to manage entities in this case.ġ. ![]() In the OS performance logs, the server can be found by "host=web-host' Now, in the IIS/apache logs, the server can be found by "host=web01" The server is already there as an entity E1 which has an alias hostname=web01. Suppose I plan to create 2 services that monitor health of a web server, the first one called A focuses on IT metrics such as error rates, response times etc the second one called B focuses on the VM OS performances such as cpu and memory etc.Īs I have imported all splunk forwarders as entities. Here is an example to motivate my confusions. Hi I am still confused about ITSI entity management and best practices after taking the training.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |