Splunk® IT Service Intelligence

Service Insights Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence (ITSI) version 4.11.x reached its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
Acrobat logo Download topic as PDF

Define a KPI source search in ITSI

When you create a KPI in IT Service Intelligence (ITSI), you must define a source search on which to build the KPI. You can chose from four source search types: data model, ad hoc search, metrics search, or base search.

Note: Before you define your source search, consider the performance implications for your particular deployment. While data models are suitable for smaller test environments, base searches generally provide best performance in larger production settings. See Create KPI base searches in ITSI.

For an overview of the entire KPI creation workflow, see Overview of creating KPIs in ITSI.

Prerequisites

  • You must create a service before you can add KPIs to it. For instructions, see Overview of creating services in ITSI.
  • To design a KPI search, you need to know the following information:
    • The source search expression, including selection criteria.
    • The specific field in the data that you want to monitor.
    • The time span and frequency for the KPI to update.
    • How to summarize the data over the time span (count, last, sum, average, and so on).
    • Whether you want to split the KPI result values by entities (for example, by host).

Define a source search from a data model

Configure the following fields:

Field Description
KPI Source Data Model
Data Model The data model object, child, and attribute fields. For example, Host Operating System > Memory > mem_used_percent.

When you create a KPI search from a data model, the data model object field becomes the threshold field. When you create a KPI search from an ad hoc search, you must manually enter the threshold field.

Filters (optional) Click Add Filter to add data model filter conditions. Data model filters let you include/exclude search result data based on the filter conditions. For example, the filter condition host Equals ipaddress filters out all values for the data model search field host, except for values that equal ipaddress. Data model filtering can help improve the speed and accuracy of your searches by excluding extraneous data from search results.

Click Generated Search to preview your KPI search string. Use the search box to view changes ITSI makes to your search string as you build your KPI. Click anywhere on the generated search itself to run the search:

GeneratedSearch.png

Define a source search from a metrics search

Configure the following fields:

Field Description
KPI Source Metrics Search

If there are no metrics indexes configured in your Splunk deployment, you'll see the message "No metrics found". For more information about metrics, see Get started with Metrics in the Splunk Enterprise Metrics Manual.

Metrics Index Select the metrics index from which to choose a metric. The list only populates with indexes defined locally on the search head you are accessing. To use an index defined only on an indexer, enter it manually.
Metric Name Select the metric to use for the KPI. For example, memory.used.

Click Generated Search to preview your KPI search string. Metrics searches begin with the mstats command.

Define a source search from an ad hoc search

Configure the following fields:

Field Description
KPI Source Ad hoc Search
Search The ad hoc search string that you create. This is the event gathering search for the KPI.

Note: The use of transforming commands, the mstats command, the `gettime` macro, or time modifiers in your KPI search is not recommended as this may cause issues with KPI backfill, the display of raw data on ITSI views such as glass tables and deep dives that allow you to run KPI searches against raw data, and the KPI threshold preview.
Threshold Field The field in your data that the KPI aggregates and monitors. For pure counts use _time.

Click Generated Search to preview your KPI search string.

Define a source search from a base search

Configure the following fields:

Field Description
KPI Source Base Search
Base Search The base search that you want to associate with the KPI. For example, DA-ITSI-OS:Performance.Memory. Base searches provide preconfigured KPI templates built on ITSI modules.
Metric The metric that you want to associate with the KPI. For example, mem_free_percent.

Click Generated Search to preview your KPI search string.

Most fields in the next new steps of the KPI creation workflow are pre-populated by the KPI template.

Next steps

After you define your source search, move on to step 2: Split and filter entities for a KPI in ITSI.

Last modified on 28 April, 2023
PREVIOUS
Overview of creating KPIs in ITSI
  NEXT
Split and filter a KPI by entities in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters