Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

ITSI Service Analyzer use case

The Service Analyzer displays information about underlying entities and critical and high episodes associated with services. This helps you more quickly investigate the cause of service degradation.

To investigate a service with poor health or a service that displays a notification icon, click the service tile. A panel opens displaying the severity and values of the KPIs associated with the service and up to 20 episodes associated with the service that have a severity of critical or high. Furthermore, you can click on a KPI in the side panel (or on a KPI tile) to see a secondary panel that shows the severity and value of any entities that contribute to the KPI.

If you bookmark or copy the URL for a service analyzer page, the service or KPI that is selected and any side panels that are open are saved as part of the page.


As an IT Operations analyst, you are monitoring service health on the ITSI Service Analyzer.

  1. You notice a notification icon on the Database Service tile. You hover over the icon and see a message that the service has entities in a degraded state and also has critical or high episodes associated with it.
    Notif icon.png

  2. You click the Database tile and a side panel opens showing the service KPIs and the critical or high episodes.
    You see that two KPIs have notification icons indicating that they have entities in a degraded state. You also see there is one episode in a critical state containing over a hundred events.

    Tip: Click View All to view the groups in Episode Review. Episode Review opens in a new tab and is filtered for the service you are viewing and the time range you are using on the Service Analyzer page. For information about Episode Review, see Overview of Episode Review in ITSI.

  3. You click the Storage Free Space: % KPI because it is in a critical state and has one or more entities with degraded performance. A secondary panel opens showing the contributing entities for this KPI.
    No free space.png
    You can now observe that the mysql-02 entity is in a critical state and has no free space. You have discovered the root cause of the service degradation.

  4. You click the name of the entity to see more information about the host on the Entity Details page. From here, you can see entity details such as title, host, application, itsi_role, version, and family.

    You can only edit an entity on the Entity Details page if you have write permissions to the Global team. By default only the itoa_admin role has write permissions to the Global team.

Last modified on 14 November, 2018
Aggregate versus maximum severity KPI values in ITSI
Overview of Episode Review in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters