Getting Started with the Splunk App for Infrastructure and Using it as the Basis for your ITSI Entity Strategy

      By: Brent Mckinney  | Splunk Consultant


As the name implies, the Splunk App for Infrastructure (SAI) allows you to monitor and troubleshoot your business’s infrastructure with pre-built and highly customizable displays. SAI provides insight into all layers of your organization’s infrastructure. Splunk’s IT Service Intelligence (ITSI) is a premium offering that allows you to further monitor your infrastructure, through the means of setting analyzing KPIs across all entities in your organization. ITSI utilizes machine learning to baseline what is normal behavior and help identify anomalies in your data.


Getting started with Splunk App for Infrastructure

There are 3 major components of the SAI: Getting Data In, investigating your Data, and setting up alerts.

The first step is to decide what you want to monitor. SAI offers a handful of options to bring in data, from a variety of sources. Once the SAI is installed in your Splunk environment, you can visit the “Add Data” page within the app to explore these options. Some options utilize other Splunk-built add-ons like the add-on for AWS, which you’re most likely already using if you’ve onboarded AWS data in the past. Other options allow you to utilize OS daemons like collectd for Linux machines. There are options for Windows, OSX, Kubernetes, and more.

Once you’ve begun onboarding data through one of these avenues, you can immediately start investigating. In the “Investigate” tab of the SAI, you can see all entities that were onboarded in the previous step. Splunk uses the term “entity” when describing your individual data sources. This could be a physical server at your organization, a cloud instance in AWS, or any source that you define as a center for monitoring.  The investigate tab shows you a list of all entities, their current status, last time data was collected, and any tags associated. You can also use this page to assign entities to specific groups, that can be used to further classify all components of your infrastructure. From here you can click directly on an entity in the list and see an overview of key metrics that are being collected. This typically shows the OS and current version, network I/O, memory and CPU utilization, and disk space free % by default. You can drill down further by visiting the analysis tab and building custom views by dragging and dropping available metrics to the dashboard. This allows different users to easily build views to monitor their systems.

Finally, you can set up alerts for your entities and specific metrics, based on conditions that you define. You can alert if a certain metric exceeds or falls below a certain value, and assign severities. The “Alert” tab is a great way to view and manage all alerts in SAI, as it shows you which entities triggered alerts, each entity’s severity, how many times the alert was triggered, and the timestamps that they occurred.


Integrating with ITSI

Similar to SAI, one of the first steps in bringing ITSI to life is defining the entities you want to begin analyzing. Luckily, ITSI offers seamless integration with what’s already defined in SAI. Under the “Configuration > Entities” tab in ITSI, you can select “Manage Integrations” and you have the option to integrate both entities and alerts from SAI into ITSI.

The key to why this is important is this: SAI offers a way to get data in from a large variety of sources, and makes it easy to choose what you want to monitor from each of these sources, while ITSI specializes in painting a detailed picture on how all of these sources operate and contribute to the health of the overall environment. Using the SAI to define entities, bring in data, and validate metrics, makes setting up services and getting the value of ITSI seamless. ITSI relies on many different data sources if you’ve got a wide range of KPIs you want to monitor, so it can be confusing trying to set up services and monitor KPIs when you’re not sure if the data is even there to support it. SAI solves that problem by allowing you to easily add data to Splunk, verify that the metrics you’re interested in are indeed coming in, and then allowing to import these entities directly into ITSI for analytics.

ITSI’s power is analyzing KPI behavior over time, by learning and analyzing the behavior of entities in your organization. ITSI was not built to collect data in the way that SAI does. So using SAI to create and manage entities in your infrastructure makes it easier to simply assign entities in ITSI and begin analyzing, rather than using ITSI as a means of creating entities and validating data.


Want to learn more about the Splunk App for Infrastructure and using it as the basis for your ITSI entity strategy? Contact us today!