ITE Work summary index reference
Fields in the ITE Work summary index (itsi_summary) are generally defined in families. For example, all fields that begin with indexed_*
are defined as indexed extractions and thus can be filtered more quickly. alert_*
fields are generally properties replicated from the KPI as well as the information related to the time series. is_*
fields are boolean fields that only ever have the values of 0 or 1.
KPI data points have evolved extensively throughout the history of ITE Work. As a result, a lot of extraneous fields have been carried forward to avoid upgrade issues. These fields are marked deprecated and should not ever be referenced in any search.
As of version 4.6.0, KPI data is double summarized in the summary index and the metrics summary index. The itsi_summary
index will be removed in a future release. For more information, see ITSI metrics summary index reference.
Classes of fields in the summary index
Type of field | Description |
---|---|
Service aggregate | Represents the value of the KPI for the service at a given time along with its evaluated severity. This field exists for every time, even if there is no data. There is exactly 1 for each period of the KPI. |
Entity-level | Represents the value of the KPI for a particular entity at a given point in time along with its evaluated severity. There are 0 to n of these data points. If there is no data, there are no entity-level data points even if the KPI is split by entity. |
Max severity | Represents the most severe KPI data point among service aggregate and all entity-level data points for a given time. Its value is random if multiple data points have the same severity. This data point exists solely for the purpose of evaluating score events. It always exists for every time, even if there's no data. There is exactly 1 event for each period of the KPI. |
Health score | Represents the health score of a given service at a given time. There is exactly 1 event for each service every minute regardless of the number or period of KPIs within the service. |
Composite multi-KPI alert score | Represents the health score of a composite multi-KPI alert. The fields only exist to support multi-KPI alerting. They exist in the summary index because multi-KPI alert scores are calculated at the same time as health scores. |
Summary index fields
The following table provides descriptions and sample values for each field in the summary index.
Field | Sample value | Description |
---|---|---|
alert_color | #99D18B | A hex code for the color of the severity of the data point. |
alert_level | 2 | An integer indicating the severity of the data point. This is the main property for severity and should be the one used for filtering and grouping. Other properties related to the severity are only there for convenience and may be deprecated in a future release. |
alert_period | 5 | The period, in minutes, at which the data point is expected in the summary index. For example, if "5", there should be 1 event every 5 minutes. This field translates to the cron schedule of the KPI. |
alert_severity | normal | The text label for the severity of alert_level. |
alert_value | 1 | The actual aggregated numeric value of the KPI for this data point. This field is used for all graphing and display of the KPI value. |
color | #99D18B | Duplicate of alert_color. |
entity_key | service_aggregate | The key in the entity database of the entity to which this data point belongs, if defined. If "N/A" then the value refers to a pseudo entity. If "service_aggregate" then the value refers to the Service Aggregate data point for the KPI. On a maximum severity event this field and the entity_title can tell you which KPI data point was selected as the Max Severity data point. |
entity_title | service_aggregate | The title of the entity in the entity database. In the case of pseudo entities, the title of the entity as found in the data. Will be "service_aggregate" if the value refers to the Service Aggregate data point for the KPI. On a maximum severity event this field and the entity_key can tell you which KPI data point was selected as the Max Severity data point. |
gs_kpi_id | efd9c9eeb482a9cfde9a8e2d | Duplicate of itsi_kpi_id. Deprecated. |
gs_service_id | b5946968-dfa8-4aa2-a393-7163d2576c6e | Duplicate of itsi_service_id. Deprecated. |
health_score | 100.0 | Duplicate of severity_value. |
host | ip-10-202-0-160.ec2.splunkit.io | The originating hostname or IP address the KPI saved search was dispatched from. |
index | itsi_summary | The index the data point is stored in. |
indexed_is_service_aggregate | 1 | Indexed field of is_service_aggregate. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering. |
indexed_is_service_max_severity_event | 0 | Indexed field of is_service_max_severity_event. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering. |
indexed_itsi_kpi_id | efd9c9eeb482a9cfde9a8e2d | Indexed field of itsi_kpi_id. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering. |
indexed_itsi_service_id | b5946968-dfa8-4aa2-a393-7163d2576c6e | Indexed field of itsi_service_id. Always filter against this field instead of the non-indexed version. You must use "::" and not "=" for it to make a difference in filtering. |
info_max_time | 1572460080.000 | The latest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics. |
info_min_time | 1572460020.000 | The earliest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics. |
info_search_time | 1572460080.844 | The actual time the saved search that resulted in this data point was dispatched. Added by the summary indexing process, mainly useful for forensics. |
is_entity_defined | 0 | "0" if the entity described in entity_title and entity_key is a pseudo entity, "1" if it's a defined entity. This field is better to filter against than entity_key!="N/A", though it is still 0 for service-level data. |
is_entity_in_maintenance | 0 | "0" if the entity described in entity_key is not in maintenance at the time the data point was taken, "1" if it was. A pseudo entity can never be in maintenance. If an entity is maintenance, its value is not included in the Service Aggregate calculation unless every entity in the service is in maintenance. For more information, see Schedule maintenance downtime in ITSI. This functionality is not available in ITE Work. |
is_filled_gap_event | 0 | An indication of whether there were any data gaps that were filled with an specified value. If "1", there was a gap that was filled. For more information about filling data gaps, see Configure KPI monitoring calculations in ITSI. |
is_service_aggregate | 1 | "0" if the data point is from an entity, "1" if it's from the Service Aggregate calculation. Never filter against this field. Use the indexed version instead. |
is_service_in_maintenance | 0 | "0" if the service described in itsi_service_id is not in maintenance at the time the data point was taken, "1" if it was. This is not available in ITE Work. |
is_service_max_severity_event | 0 | "0" if this is a normal KPI data point, "1" if it's the Max Severity event. Never filter against this field. Use the indexed version instead. |
itsi_kpi_id | efd9c9eeb482a9cfde9a8e2d | The ID or key of the KPI to which this KPI data point belongs. Never filter against this field. Use the indexed version instead. |
itsi_service_id | b5946968-dfa8-4aa2-a393-7163d2576c6e | The ID or key of the service to which this KPI data point belongs. Never filter against this field. Use the indexed version instead. |
kpi | Network Txmt KBps | The name of the KPI at the time the data point was taken. For display purposes only. |
kpi_name | Network Txmt KBps | The name of the KPI at the time the data point was taken. |
kpi_urgency | 11 | The importance value configured for the KPI at the time the data point was taken. |
kpibasesearch | 5d75b61e6e651456557ab604 | Only defined on data points generated by a shared base search. This is the key of the shared base search that made this KPI data point. |
kpiid | efd9c9eeb482a9cfde9a8e2d | Deprecated. Duplicate of itsi_kpi_id. Never use. |
linecount | 1 | The number of lines an event contains before it's indexed. |
python.version | python3 | The current Python version. |
qf | -- | Quick filter. This field is only populated when ITSI needs to put something in maintenance to make maintenance searches perform better. |
scoretype | service_health | The type of health score the event contributes to. Used to distinguish service health score events from composite health score events. This field is only present in Health Score type KPI data points.
|
search_name | disabled_kpis_healthscore_generator | The name of the saved search that made the KPI data point. Added by the summary indexing process, mainly useful for forensics. |
search_now | 1572460080.000 | The effective "now" used when the saved search was dispatched. Added by the summary indexing process, mainly useful for forensics. |
sec_grp | default_itsi_security_group | The team the service belongs to. For more information, see Overview of teams in ITSI. |
service | Middleware | The name of the service. |
service_name | Middleware | Duplicate of service. |
serviceid | b5946968-dfa8-4aa2-a393-7163d2576c6e | Deprecated. Duplicate of itsi_service_id. |
severity_label | normal | The text label for the severity of severity_value. |
severity_value | 100.0 | The numeric value of the service health score. This field is used for all graphing and display of the service health score value. |
source | disabled_kpis_healthscore_generator | The search that populates the summary index with state values for the KPI. |
sourcetype | stash | Specifies the format of the data input from which the event originates. Set by the summary indexing process to "stash" for licensing purposes. |
splunk_server | ip-10-202-0-198.ec2.splunkit.io | The name of the Splunk server containing the event. Useful in a distributed Splunk environment. |
timeendpos | 25 | The position in the raw event string at which the timestamp ends. |
timestartpos | 0 | The position in the raw event string at which the timestamp starts. |
urgency | 11 | The importance value configured for the KPI at the time the data point was taken. Duplicate of kpi_urgency. |
Overview of ITE Work Indexes | ITE Work metrics summary index reference |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.16.0 Cloud only
Feedback submitted, thanks!