Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Use the Service Analyzer tile view in ITSI

The tile view is the default view of the Service Analyzer. To use the Service Analyzer tile view, click the Tile icon.png icon in the Service Analyzer. Whichever view you save last loads the next time you open the Service Analyzer.


The Service Analyzer lists the top 50 most critical services and KPIs you are monitoring. Change the number of services or KPIs to display by clicking the gear icon next to the title.

The services and KPIs are represented as tiles containing a number, a color, and a sparkline. The number and the color indicate the current severity level of the service or KPI and the sparkline indicates the trend of the value for the time range selected in the time range picker (default is last 60 minutes).

A notification icon ( Exclamation.png ) on a tile indicates one of the following conditions, or both conditions, within the selected time range:

  1. The service or KPI has one or more entities in a degraded state.
  2. The service has one or more critical or high notable event groups associated with it.

Hover over the icon to find out which conditions exist. Click the tile to open the side panel with more information.

Note that service tiles are not displayed for services for which the user does not have read access. Likewise, KPI tiles are not displayed for KPIs associated with services for which the user does not have read access. Read and write access to services and KPIs is controlled by teams. For information about teams, see ITSI service-level permissions in the Installation and Configuration Manual.

The minimum time range that can be selected in the time picker is 45 minutes. This is the minimum length of time needed to ensure all KPI data is available. If you select Last 15 minutes, or any time range that is less than 45 minutes, the time picker is automatically set to 45 minutes.


You can filter the services and KPIs that are displayed in the Service Analyzer using the Filter Services and Filter KPIs boxes at the top. When you filter by service, only the KPIs that belong to the filtered services are displayed. When you filter by KPI, only the services associated with the KPI are displayed. You can select one or more services or KPIs to filter in the dropdown list.

You can also use wildcards to filter. You can specify more than one wildcard filter. For example, if you have three services called Database Service 1, Database Service 2, and Database Service 3, you could type data* in the Filter Services field to display just these three services and their associated KPIs. Furthermore, you can filter the KPIs for the filtered services. So if you wanted to see only the Database Service Response Time KPI for the three database services, you could specify *response* in the Filter KPIs field. Note that if you filter on services then filter on a KPI that does not belong to any of the filtered services, no matches will be displayed.

Users cannot filter services or KPIs in the Filter Services and Filter KPI fields unless they have read access to those services and KPIs.

Disabled services

By default, disabled services and KPIs associated with disabled services are not shown on the Service Analyzer. Click the Show disabled service(s) check box at the top to display disabled services and their corresponding KPIs. The tiles for disabled services and KPIs are grey and display N/A instead of a number.

Automatically refresh the Service Analyzer

You can automatically refresh the Service Analyzer when a relative time range is selected from the time picker (as opposed to real-time). By default, auto-refresh is disabled for Service Analyzer. To enable it, create itsi_service_analyzer.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local and add the following stanza to it:

disabled = 0
interval = 180

Interval is in seconds and defines the time interval to automatically refresh Service Analyzer. This configuration file setting applies to the default Service Analyzer and all saved Service Analyzers. For more information about this configuration file, see $SPLUNK_HOME/etc/app/SA-ITOA/README/itsi_service_analyzer.conf.spec.

Auto-refresh is disabled if a real-time selection is made in the time picker.


The number displayed in a service tile indicates the service health score. Service health scores range from 0 to 100, with 0 being most critical and 100 being most healthy.

Service Health Score Severity level Color
0-20 Critical Criticle.png
20-40 High High.png
40-60 Medium Medium.png
60-80 Low Yellow.png
80-100 Normal Green.png

The service health score calculation is based on the current severity level of service KPIs (critical, high, medium, low, and normal) and the user-defined KPI importance value. For information about how the service health score is calculated, see How service health scores work in the ITSI Installation and Configuration manual.

If a service is in maintenance mode, the tile is dark grey and contains a maintenance icon Maint icon.png.


The number displayed in a KPI tile is the number returned from the KPI search of the data. For example, you could have a KPI called Successful Logins that is a count of logins to your website. When a KPI is created in ITSI, aggregate severity-level thresholds of Normal, Low, Medium, High, and Critical are defined. If a KPI is split by entity, entity severity-level thresholds are also defined. The color corresponding to the aggregate severity-level is displayed in the KPI tile in the Service Analyzer by default. See Set Thresholds in the ITSI Installation and Configuration manual for information about KPI severity levels.

The name of the service that the KPI is associated with is displayed on the line beneath the name of the KPI for reference.

KPI tiles that are grey indicate one of the following conditions:

  • The KPI search has returned no data matching the search criteria. The sparkline is flat in this case.
  • The KPI is associated with a disabled service (when the Show disabled service(s) check box is checked).
  • The KPI is associated with a service in maintenance mode (displayed in dark grey with a maintenance icon Maint icon.png)

Drill down to a deep dive

You can drill down from the Service Analyzer tile view to a deep dive, where you can view and compare service health scores or KPI search results over time.

  1. Select the check box on one or more service or KPI tiles.
  2. Click Drilldown to Deep Dive.

If you select a single service or a single KPI, all KPIs associated with that service appear in the deep dive. If you select multiple services or KPIs, only the associated service health scores appear.

For more information about deep dives, see Deep dives in ITSI in this manual.

Last modified on 06 November, 2018
Monitor the health of your services with the ITSI Service Analyzer
Use the Service Analyzer tree view in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters