Splunk® IT Essentials Work

Administration Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

ITE Work summary index reference

Fields in the ITE Work summary index (itsi_summary) are generally defined in families. For example, all fields that begin with indexed_* are defined as indexed extractions and thus can be filtered more quickly. alert_* fields are generally properties replicated from the KPI as well as the information related to the time series. is_* fields are boolean fields that only ever have the values of 0 or 1.

KPI data points have evolved extensively throughout the history of ITE Work. As a result, a lot of extraneous fields have been carried forward to avoid upgrade issues. These fields are marked deprecated and should not ever be referenced in any search.

As of version 4.6.0, KPI data is double summarized in the summary index and the metrics summary index. The itsi_summary index will be removed in a future release. For more information, see ITSI metrics summary index reference.

Classes of fields in the summary index

Type of field Description
Service aggregate Represents the value of the KPI for the service at a given time along with its evaluated severity. This field exists for every time, even if there is no data. There is exactly 1 for each period of the KPI.
Entity-level Represents the value of the KPI for a particular entity at a given point in time along with its evaluated severity. There are 0 to n of these data points. If there is no data, there are no entity-level data points even if the KPI is split by entity.
Max severity Represents the most severe KPI data point among service aggregate and all entity-level data points for a given time. Its value is random if multiple data points have the same severity. This data point exists solely for the purpose of evaluating score events. It always exists for every time, even if there's no data. There is exactly 1 event for each period of the KPI.
Health score Represents the health score of a given service at a given time. There is exactly 1 event for each service every minute regardless of the number or period of KPIs within the service.
Composite multi-KPI alert score Represents the health score of a composite multi-KPI alert. The fields only exist to support multi-KPI alerting. They exist in the summary index because multi-KPI alert scores are calculated at the same time as health scores.

Summary index fields

The following table provides descriptions and sample values for each field in the summary index.

Field Sample value Description
alert_color #99D18B A hex code for the color of the severity of the data point.
alert_level 2 An integer indicating the severity of the data point. This is the main property for severity and should be the one used for filtering and grouping. Other properties related to the severity are only there for convenience and may be deprecated in a future release.
alert_period 5 The period, in minutes, at which the data point is expected in the summary index. For example, if "5", there should be 1 event every 5 minutes. This field translates to the cron schedule of the KPI.
alert_severity normal The text label for the severity of alert_level.
alert_value 1 The actual aggregated numeric value of the KPI for this data point. This field is used for all graphing and display of the KPI value.
color #99D18B Duplicate of alert_color.
entity_key service_aggregate The key in the entity database of the entity to which this data point belongs, if defined. If "N/A" then the value refers to a pseudo entity. If "service_aggregate" then the value refers to the Service Aggregate data point for the KPI. On a maximum severity event this field and the entity_title can tell you which KPI data point was selected as the Max Severity data point.
entity_title service_aggregate The title of the entity in the entity database. In the case of pseudo entities, the title of the entity as found in the data. Will be "service_aggregate" if the value refers to the Service Aggregate data point for the KPI. On a maximum severity event this field and the entity_key can tell you which KPI data point was selected as the Max Severity data point.
gs_kpi_id efd9c9eeb482a9cfde9a8e2d Duplicate of itsi_kpi_id. Deprecated.
gs_service_id b5946968-dfa8-4aa2-a393-7163d2576c6e Duplicate of itsi_service_id. Deprecated.
health_score 100.0 Duplicate of severity_value.
host ip-10-202-0-160.ec2.splunkit.io The originating hostname or IP address the KPI saved search was dispatched from.
index itsi_summary The index the data point is stored in.
indexed_is_service_aggregate 1 Indexed field of is_service_aggregate. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering.
indexed_is_service_max_severity_event 0 Indexed field of is_service_max_severity_event. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering.
indexed_itsi_kpi_id efd9c9eeb482a9cfde9a8e2d Indexed field of itsi_kpi_id. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering.
indexed_itsi_service_id b5946968-dfa8-4aa2-a393-7163d2576c6e Indexed field of itsi_service_id. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering.
info_max_time 1572460080.000 The latest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics.
info_min_time 1572460020.000 The earliest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics.
info_search_time 1572460080.844 The actual time the saved search that resulted in this data point was dispatched. Added by the summary indexing process, mainly useful for forensics.
is_entity_defined 0 "0" if the entity described in entity_title and entity_key is a pseudo entity, "1" if it's a defined entity. This field is better to filter against than entity_key!="N/A", though it is still 0 for service-level data.
is_entity_in_maintenance 0 "0" if the entity described in entity_key is not in maintenance at the time the data point was taken, "1" if it was. A pseudo entity can never be in maintenance. If an entity is maintenance, its value is not included in the Service Aggregate calculation unless every entity in the service is in maintenance. For more information, see Schedule maintenance downtime in ITSI. This functionality is not available in ITE Work.
is_filled_gap_event 0 An indication of whether there were any data gaps that were filled with an specified value. If "1", there was a gap that was filled. For more information about filling data gaps, see Configure KPI monitoring calculations in ITSI.
is_service_aggregate 1 "0" if the data point is from an entity, "1" if it's from the Service Aggregate calculation. Never filter against this field. Use the indexed version instead.
is_service_in_maintenance 0 "0" if the service described in itsi_service_id is not in maintenance at the time the data point was taken, "1" if it was. This is not available in ITE Work.
is_service_max_severity_event 0 "0" if this is a normal KPI data point, "1" if it's the Max Severity event. Never filter against this field. Use the indexed version instead.
itsi_kpi_id efd9c9eeb482a9cfde9a8e2d The ID or key of the KPI to which this KPI data point belongs. Never filter against this field. Use the indexed version instead.
itsi_service_id b5946968-dfa8-4aa2-a393-7163d2576c6e The ID or key of the service to which this KPI data point belongs. Never filter against this field. Use the indexed version instead.
kpi Network Txmt KBps The name of the KPI at the time the data point was taken. For display purposes only.
kpi_name Network Txmt KBps The name of the KPI at the time the data point was taken.
kpi_urgency 11 The importance value configured for the KPI at the time the data point was taken.
kpibasesearch 5d75b61e6e651456557ab604 Only defined on data points generated by a shared base search. This is the key of the shared base search that made this KPI data point.
kpiid efd9c9eeb482a9cfde9a8e2d Deprecated. Duplicate of itsi_kpi_id. Never use.
linecount 1 The number of lines an event contains before it's indexed.
python.version python3 The current Python version.
qf -- Quick filter. This field is only populated when ITSI needs to put something in maintenance to make maintenance searches perform better.
scoretype service_health The type of health score the event contributes to. Used to distinguish service health score events from composite health score events. This field is only present in Health Score type KPI data points.
  • For a composite multi-KPI event the value is compositekpi_health.
  • For a service health score event the value is service_health.
search_name disabled_kpis_healthscore_generator The name of the saved search that made the KPI data point. Added by the summary indexing process, mainly useful for forensics.
search_now 1572460080.000 The effective "now" used when the saved search was dispatched. Added by the summary indexing process, mainly useful for forensics.
sec_grp default_itsi_security_group The team the service belongs to. For more information, see Overview of teams in ITSI.
service Middleware The name of the service.
service_name Middleware Duplicate of service.
serviceid b5946968-dfa8-4aa2-a393-7163d2576c6e Deprecated. Duplicate of itsi_service_id.
severity_label normal The text label for the severity of severity_value.
severity_value 100.0 The numeric value of the service health score. This field is used for all graphing and display of the service health score value.
source disabled_kpis_healthscore_generator The search that populates the summary index with state values for the KPI.
sourcetype stash Specifies the format of the data input from which the event originates. Set by the summary indexing process to "stash" for licensing purposes.
splunk_server ip-10-202-0-198.ec2.splunkit.io The name of the Splunk server containing the event. Useful in a distributed Splunk environment.
timeendpos 25 The position in the raw event string at which the timestamp ends.
timestartpos 0 The position in the raw event string at which the timestamp starts.
urgency 11 The importance value configured for the KPI at the time the data point was taken. Duplicate of kpi_urgency.
Last modified on 19 December, 2023
Overview of ITE Work Indexes   ITE Work metrics summary index reference

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.16.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters