ITE Work metrics summary index reference
The metrics summary index, itsi_summary_metrics
, is a metrics-based summary index that stores KPI data. The index is a metrics version of the events summary index. For more information, see ITSI summary index reference.
As of ITSI version 4.6.0, each ITE Work KPI is summarized into both the events summary index and the metrics summary index. Service health score values are calculated using metrics, and KPI and service health score tiles on the Service Analyzer are rendered using metrics. The metrics summary index creates a more responsive UI experience by increasing the performance of the searches dispatched by ITE Work. In future releases, additional UI elements will be converted to use the mstats
syntax.
The metrics summary index provides the following performance improvements:
- Service Analyzer rendering is 28% faster
- Service topology rendering is 18% faster
For more information about metrics indexes, see Metrics indexes in the Splunk Enterprise Metrics Manual.
Classes of fields in the metrics summary index
Type of field | Description |
---|---|
Service aggregate | Represents the value of the KPI for the service at a given time along with its evaluated severity. This field exists for every time, even if there is no data. There is exactly 1 for each period of the KPI. |
Entity-level | Represents the value of the KPI for a particular entity at a given point in time along with its evaluated severity. There are 0 to n of these data points. If there is no data, there are no entity-level data points even if the KPI is split by entity. |
Max severity | Represents the most severe KPI data point among service aggregate and all entity-level data points for a given time. Its value is random if multiple data points have the same severity. This data point exists solely for the purpose of evaluating score events. It always exists for every time, even if there's no data. There is exactly 1 event for each period of the KPI. |
Health score | Represents the health score of a given service at a given time. There is exactly 1 event for each service every minute regardless of the number or period of KPIs within the service. |
Metrics summary index fields
The following table provides descriptions and sample values for each field in the summary index.
Field | Sample value | Description |
---|---|---|
alert_period | 5 | The period, in minutes, at which the data point is expected in the summary index. For example, if "5", there should be 1 event every 5 minutes. This field translates to the cron schedule of the KPI. |
entity_key | service_aggregate | The key in the entity database of the entity to which this data point belongs, if defined. If "N/A" then the value refers to a pseudo entity. If "service_aggregate" then the value refers to the Service Aggregate data point for the KPI. On a maximum severity event this field and the entity_title can tell you which KPI data point was selected as the Max Severity data point. |
entity_title | service_aggregate | The title in the entity database of the entity to which this data point belongs. In the case of pseudo entities, the title of the entity as found in the data. |
host | ip-10-202-0-160.ec2.splunkit.io | The originating hostname or IP address the KPI saved search was dispatched from. |
index | itsi_summary_metrics | Stores the name of the index, which will always be itsi_summary_metrics. A standard field in Splunk software. |
info_max_time | 1572460080.000 | The latest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics. |
info_min_time | 1572460020.000 | The earliest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics. |
info_search_time | 1572460080.844 | The actual time the saved search that resulted in this data point was dispatched. Added by the summary indexing process, mainly useful for forensics. |
is_backfilled_event | 1 | Indicates whether a result is is from a backfill operation. |
is_entity_defined | 0 | "0" if the entity described in entity_title and entity_key is a pseudo entity, "1" if it's a defined entity. This field is better to filter against than entity_key!="N/A", though it is still 0 for service-level data. |
is_entity_in_maintenance | 0 | "0" if the entity described in entity_key is not in maintenance at the time the data point was taken, "1" if it was. A pseudo entity can never be in maintenance. If an entity is in maintenance, its value is not included in the Service Aggregate calculation unless every entity in the service is in maintenance. For more information, see Schedule maintenance downtime in ITSI. |
is_filled_gap_event | 0 | An indication of whether there were any data gaps that were filled with an specified value. If "1", there was a gap that was filled. For more information about filling data gaps, see Configure KPI monitoring calculations in ITSI. |
is_null_alert_value | 1 | Indicates if the the KPI score or service health score value was actually N/A previously. This field exists because values stored under a metric_name can only be integers. Mainly for forensics to better reflect the true alert_value. |
is_service_aggregate | 1 | "0" if the data point is from an entity, "1" if it's from the Service Aggregate calculation. Never filter against this field. |
is_service_disabled | 0 | Indicates if the service was in a disabled state at into_max_time OR has been disabled at the time the data point was taken. |
is_service_in_maintenance | 0 | "0" if the service described in itsi_service_id is not in maintenance at the time the data point was taken, "1" if it was. |
is_service_max_severity_event | 0 | "0" if this is a normal KPI data point, "1" if it's the Max Severity event. Never filter against this field. |
itsi_kpi_id | efd9c9eeb482a9cfde9a8e2d | The ID or key of the KPI to which this KPI data point belongs. Never filter against this field. |
itsi_service_id | b5946968-dfa8-4aa2-a393-7163d2576c6e | The ID or key of the service to which this KPI data point belongs. Never filter against this field. |
itsi_team_id | default_itsi_security_group | The team the service belongs to. For more information, see Overview of teams in ITSI. |
kpi_importance | 11 | The importance value configured for the KPI at the time the data point was taken. |
kpi_base_search | 5d75b61e6e651456557ab604 | Only defined on data points generated by a shared base search. This is the key of the shared base search that made this KPI data point. |
metric_name:alert_level | 2 | An integer indicating the severity of the data point. This is the main property for severity and should be the one used for filtering and grouping. Other properties related to the severity are only there for convenience and may be deprecated in a future release. |
metric_name:alert_value | 1 | The actual aggregated numeric value of the KPI for this data point. This field is used for all graphing and display of the KPI value. |
metric_name:service_health_score | 100.0 | The numeric value of the service health score. This field is used for all graphing and display of the service health score value. |
scoretype | service_health | The type of health score the event contributes to. Used to distinguish service health score events from composite health score events. This field is only present in Health Score type KPI data points.
|
search_name | disabled_kpis_healthscore_generator | The name of the saved search that made the KPI data point. Added by the summary indexing process, mainly useful for forensics. |
search_now | 1572460080.000 | The effective "now" used when the saved search was dispatched. Added by the summary indexing process, mainly useful for forensics. |
source | disabled_kpis_healthscore_generator | The search that populates the summary index with state values for the KPI. |
sourcetype | stash | Specifies the format of the data input from which the event originates. Set by the summary indexing process to "stash" for licensing purposes. |
ITE Work summary index reference | Configure multiple ITE Work deployments to use the same indexing layer |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.16.0 Cloud only
Feedback submitted, thanks!