Splunk® IT Essentials Work

Administration Manual

Splunk IT Essentials Work version 4.9.0 isn't available for download.
This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

ITE Work metrics summary index reference

The metrics summary index, itsi_summary_metrics, is a metrics-based summary index that stores KPI data. The index is a metrics version of the events summary index. For more information, see ITSI summary index reference.

As of ITSI version 4.6.0, each ITE Work KPI is summarized into both the events summary index and the metrics summary index. Service health score values are calculated using metrics, and KPI and service health score tiles on the Service Analyzer are rendered using metrics. The metrics summary index creates a more responsive UI experience by increasing the performance of the searches dispatched by ITE Work. In future releases, additional UI elements will be converted to use the mstats syntax.

The metrics summary index provides the following performance improvements:

  • Service Analyzer rendering is 28% faster
  • Service topology rendering is 18% faster

For more information about metrics indexes, see Metrics indexes in the Splunk Enterprise Metrics Manual.

Classes of fields in the metrics summary index

Type of field Description
Service aggregate Represents the value of the KPI for the service at a given time along with its evaluated severity. This field exists for every time, even if there is no data. There is exactly 1 for each period of the KPI.
Entity-level Represents the value of the KPI for a particular entity at a given point in time along with its evaluated severity. There are 0 to n of these data points. If there is no data, there are no entity-level data points even if the KPI is split by entity.
Max severity Represents the most severe KPI data point among service aggregate and all entity-level data points for a given time. Its value is random if multiple data points have the same severity. This data point exists solely for the purpose of evaluating score events. It always exists for every time, even if there's no data. There is exactly 1 event for each period of the KPI.
Health score Represents the health score of a given service at a given time. There is exactly 1 event for each service every minute regardless of the number or period of KPIs within the service.

Metrics summary index fields

The following table provides descriptions and sample values for each field in the summary index.

Field Sample value Description
alert_period 5 The period, in minutes, at which the data point is expected in the summary index. For example, if "5", there should be 1 event every 5 minutes. This field translates to the cron schedule of the KPI.
entity_key service_aggregate The key in the entity database of the entity to which this data point belongs, if defined. If "N/A" then the value refers to a pseudo entity. If "service_aggregate" then the value refers to the Service Aggregate data point for the KPI. On a maximum severity event this field and the entity_title can tell you which KPI data point was selected as the Max Severity data point.
entity_title service_aggregate The title in the entity database of the entity to which this data point belongs. In the case of pseudo entities, the title of the entity as found in the data.
host ip-10-202-0-160.ec2.splunkit.io The originating hostname or IP address the KPI saved search was dispatched from.
index itsi_summary_metrics Stores the name of the index, which will always be itsi_summary_metrics. A standard field in Splunk software.
info_max_time 1572460080.000 The latest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics.
info_min_time 1572460020.000 The earliest time bound of the dispatched saved search that resulted in this data point. Added by the summary indexing process, mainly useful for forensics.
info_search_time 1572460080.844 The actual time the saved search that resulted in this data point was dispatched. Added by the summary indexing process, mainly useful for forensics.
is_backfilled_event 1 Indicates whether a result is is from a backfill operation.
is_entity_defined 0 "0" if the entity described in entity_title and entity_key is a pseudo entity, "1" if it's a defined entity. This field is better to filter against than entity_key!="N/A", though it is still 0 for service-level data.
is_entity_in_maintenance 0 "0" if the entity described in entity_key is not in maintenance at the time the data point was taken, "1" if it was. A pseudo entity can never be in maintenance. If an entity is in maintenance, its value is not included in the Service Aggregate calculation unless every entity in the service is in maintenance. For more information, see Schedule maintenance downtime in ITSI.
is_filled_gap_event 0 An indication of whether there were any data gaps that were filled with an specified value. If "1", there was a gap that was filled. For more information about filling data gaps, see Configure KPI monitoring calculations in ITSI.
is_null_alert_value 1 Indicates if the the KPI score or service health score value was actually N/A previously. This field exists because values stored under a metric_name can only be integers. Mainly for forensics to better reflect the true alert_value.
is_service_aggregate 1 "0" if the data point is from an entity, "1" if it's from the Service Aggregate calculation. Never filter against this field.
is_service_disabled 0 Indicates if the service was in a disabled state at into_max_time OR has been disabled at the time the data point was taken.
is_service_in_maintenance 0 "0" if the service described in itsi_service_id is not in maintenance at the time the data point was taken, "1" if it was.
is_service_max_severity_event 0 "0" if this is a normal KPI data point, "1" if it's the Max Severity event. Never filter against this field.
itsi_kpi_id efd9c9eeb482a9cfde9a8e2d The ID or key of the KPI to which this KPI data point belongs. Never filter against this field.
itsi_service_id b5946968-dfa8-4aa2-a393-7163d2576c6e The ID or key of the service to which this KPI data point belongs. Never filter against this field.
itsi_team_id default_itsi_security_group The team the service belongs to. For more information, see Overview of teams in ITSI.
kpi_importance 11 The importance value configured for the KPI at the time the data point was taken.
kpi_base_search 5d75b61e6e651456557ab604 Only defined on data points generated by a shared base search. This is the key of the shared base search that made this KPI data point.
metric_name:alert_level 2 An integer indicating the severity of the data point. This is the main property for severity and should be the one used for filtering and grouping. Other properties related to the severity are only there for convenience and may be deprecated in a future release.
metric_name:alert_value 1 The actual aggregated numeric value of the KPI for this data point. This field is used for all graphing and display of the KPI value.
metric_name:service_health_score 100.0 The numeric value of the service health score. This field is used for all graphing and display of the service health score value.
scoretype service_health The type of health score the event contributes to. Used to distinguish service health score events from composite health score events. This field is only present in Health Score type KPI data points.
  • For a composite multi-KPI event the value is compositekpi_health.
  • For a service health score event the value is service_health.
search_name disabled_kpis_healthscore_generator The name of the saved search that made the KPI data point. Added by the summary indexing process, mainly useful for forensics.
search_now 1572460080.000 The effective "now" used when the saved search was dispatched. Added by the summary indexing process, mainly useful for forensics.
source disabled_kpis_healthscore_generator The search that populates the summary index with state values for the KPI.
sourcetype stash Specifies the format of the data input from which the event originates. Set by the summary indexing process to "stash" for licensing purposes.
Last modified on 19 December, 2023
ITE Work summary index reference   Configure multiple ITE Work deployments to use the same indexing layer

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters