Content Pack for ITSI Monitoring and Alerting

Content Pack for ITSI Monitoring and Alerting

Obtain service_name

To improve the reliability of the involved data, version 2.3.0 of the Content Pack for ITSI Monitoring and Alerting, shipped as part of Splunk App for Content Packs version 2.0.0, makes a significant change to the protocol for obtaining the service_name field, by modifying the way that field populates the itsi_summary index. Because the service_name field is a required attribute in Service and Episode Monitoring Correlation Searches, customers who rely on the service_name field from the itsi_summary index need a different method for obtaining the service_name field.

This change to the method for obtaining the service_name field may also affect customers who are not using the capabilities of the content pack.

Overview

In earlier versions of the Content Pack for ITSI Monitoring and Alerting, mapping for the service_name field happens through an automatic lookup against the itsi_summary index using the itsi_kpi_attributes.csv lookup generated by the saved search ITSI KPI Attributes Lookup Generator. You have to schedule the automatic lookup. But without regularly refreshing the automatic lookup, it's impossible to ensure that the service_name field populates all records in the itsi_summary index.

Affected areas

While this change can affect any customer-specific configurations where searching depends on the presence of the service_name field on the itsi_summary, its influence is most felt in the following scenarios:

  1. Ad-hoc searches initiated by users from the Search page, which query the itsi_summary index, where users expect to see, analyze, or filter results by the service_name field.
  2. Custom dashboards, reports, or alerts, which query the itsi_summary index, where users expect to see, analyze, or filter results by the service_name field.
  3. Custom Correlation Searches, which query the itsi_summary index, where users expect to see, analyze, or filter results by the service_name field.

Obtain service_name for a serviceid

To search, filter or report on service_name from the itsi_summary index, add the following lookup after your initial search:

|lookup service_kpi_lookup _key AS serviceid OUTPUT title AS service_name

By executing this SPL command, you can retrieve the service_name from the service_kpi_lookup file. It's important to note that the lookup command must be incorporated into the your own SPL queries in order to obtain the service_name field.

You can update your searches using a code snippet like this:

index=itsi_summary 
| lookup service_kpi_lookup _key AS serviceid OUTPUT title AS service_name
| search service_name="*Web*"

What about the itsi_kpi_attributes lookup?

Does this change mean the Content Pack for ITSI Monitoring and Alerting no longer uses or requires the itsi_kpi_attributes lookup? No! The lookup is still required, and the functionality it provides has not changed. This change is limited to how the Correlation Searches in the Content Pack perform the lookup to obtain their information.

Last modified on 12 July, 2023
Release Notes for the Content Pack for ITSI Monitoring and Alerting   Install and configure the Content Pack for ITSI Monitoring and Alerting

This documentation applies to the following versions of Content Pack for ITSI Monitoring and Alerting: 2.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters