SPLK-3002 Entities and Modules

Entities and Modules Detailed Explanation

1. What Are Entities in ITSI?

Simple Definition

An Entity in ITSI is a real, identifiable part of your infrastructure, such as:

• A server

• A virtual machine

• A cloud instance

• A container

• Even an application component

Entities help ITSI track which specific machines or systems are responsible for generating the data behind your KPIs.

Why Are Entities Important?

Without entities, you can only measure general performance.
With entities, you can:

• Isolate issues to specific components

• See if a KPI issue is coming from Server A or Server B

• Enable per-entity anomaly detection

This makes your monitoring much more precise and actionable.

2. Entity Properties

Each entity in ITSI can include the following information:

Standard Properties

• Hostname

• IP Address

• Operating System

• Application ID

• Geographic Location

• Business unit or team ownership

Custom Metadata Fields

You can define custom fields to fit your organization, such as:

• datacenter=Tokyo

• team=DevOps

• tier=Production

These properties help in:

• Filtering dashboards

• Grouping related entities

• Applying team-based access control

3. How Are Entities Created?

You can create entities in two main ways:

a. Automatically Discovered

• ITSI can discover entities from your KPI data

• If a KPI is split by “host” or “server”, ITSI can automatically create an entity for each one

b. Manually Added

• You can upload entities via CSV or define them one by one in the UI

• This is useful when you need full control or want to preload entities

Once created, entities can be:

• Linked to KPIs

• Grouped into services

• Used in filters and dashboards

4. Benefits of Using Entities

a. Entity-Specific KPI Tracking

Track how each individual component performs over time.

Example:

See how CPU usage behaves on each app server separately.

b. Per-Entity Anomaly Detection

Train ITSI’s machine learning to understand normal behavior for each entity.

This allows:

• Smarter alerts

• Fewer false positives

• Insights tailored to each component

c. Better Filtering and Dashboarding

You can:

• Filter by entity in dashboards

• Build “per-host” or “per-site” views

• Let teams only see their own entities

This makes dashboards cleaner and more relevant for specific users.

5. What Are Modules in ITSI?

Simple Definition

A Module in ITSI is a pre-built monitoring package designed for specific platforms, tools, or technologies.

It’s like a starter kit that includes everything you need to monitor a common system.

6. What’s Inside a Module?

Each module includes:

• Services (e.g., “Linux Server Health”)

• KPIs (e.g., CPU usage, memory usage)

• Glass Tables (visual dashboards)

• Deep Dives (for analysis)

• Searches and Aggregation Policies (for automation and alerts)

You can think of a module as a template bundle that saves you time.

7. Purpose and Benefits of Modules

a. Rapid Deployment

Instead of building everything from scratch, you can install a module and start monitoring in minutes.

Example:
Install the Linux Monitoring Module → you immediately get:

• Linux services

• Predefined KPIs

• Dashboards showing system health

b. Consistency Across Environments

Modules provide:

• Standardized monitoring logic

• Best practices built-in

• Uniform design across different teams or environments

This is great for organizations with many teams or repeated setups.

c. Easy Customization

Although pre-built, modules are fully editable. You can:

• Add or remove KPIs

• Adjust thresholds

• Customize dashboards

This gives you a balance of speed and flexibility.

Summary: What to Remember About Entities and Modules

• Entities are individual infrastructure components (servers, containers, etc.) that ITSI can track and monitor.

• They allow per-entity tracking, smarter anomaly detection, and fine-grained filtering.

• Modules are pre-packaged bundles of services, KPIs, dashboards, and searches, designed for rapid deployment and consistency.

• Use entities for granularity, and modules for speed and standardization.

Entities and Modules (Additional Content)

1. Entities in ITSI

What Are Entities?

An Entity represents a unique component of your IT infrastructure—such as a server, virtual machine, container, or application process—monitored across KPIs in ITSI.

Entities enable per-object health tracking, anomaly detection, and visual filtering in dashboards like Glass Tables and Deep Dives.

Where to Configure Entities

Entities are configured and managed in the Entity Management UI, located at:

Settings > ITSI > Entity Management

From here, you can:

• View all detected and manually added entities.

• Add new entities via manual creation or CSV upload.

• Map fields such as hostname, IP address, and metadata.

EXAM TIP: If a question asks where you configure entity definitions, this is the correct location.

Entity Aliases (Optional/Advanced)

Some organizations use Entity Aliases to manage naming consistency across environments.

• An alias allows one entity to be referenced using multiple field names (e.g., host, hostname, machine_name).

• This is especially useful when data from different sources uses inconsistent field names for the same object.

Aliases enhance flexibility in KPI bindings, especially in multi-vendor or hybrid environments.

2. Modules in ITSI

What Is an ITSI Module?

A Module in ITSI is a pre-packaged monitoring solution tailored to a specific platform (e.g., Linux, AWS, Docker).

Each module typically contains:

• Predefined Services

• Associated KPIs

• Dashboards (Glass Tables)

• Correlation Searches and Aggregation Policies

Modules drastically reduce configuration time and provide standardized best-practice monitoring logic.

How Are Modules Installed?

Modules can be imported via:

• Splunkbase (official Splunk app marketplace).

• The ITSI UI via Settings > ITSI > Modules (for environments using the integrated module management feature).

Modules are downloaded as .spl packages and installed like standard Splunk apps.

Note: Only ITSI administrators can install modules.

Module vs. Service Template: Key Differences

Feature	Module	Service Template
Purpose	Prebuilt, full-stack solution	Reusable blueprint for creating services
Includes	Services, KPIs, dashboards, policies	KPI definitions, thresholds, scoring rules
Use Case	Rapid deployment of full environments	Standardizing custom services across instances
Editable?	Yes (after deployment)	Yes (before and after applying to services)

A module is like a “turnkey solution”; a template is a "design pattern."

Summary

• Entities allow per-host or per-component monitoring.

  • Manage them in Entity Management UI.

  • Use Entity Aliases for cross-source consistency.

• Modules are installable bundles from Splunkbase or the ITSI UI that help quickly deploy services and KPIs.

• Understand the distinction between Modules (full environments) and Templates (service blueprints) for both the exam and real-world configuration clarity.