Splunk® IT Service Intelligence

Service Insights Manual

Splunk IT Service Intelligence (ITSI) version 4.11.x reached its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.

Enable backfill for a KPI in ITSI

Enable backfill for a KPI in IT Service Intelligence (ITSI) to fill the summary index with historical raw KPI data. A search runs in the background and populates the summary index with KPI data over the period you define, as it would have been populated at a regularly scheduled time by KPI saved searches. In other words, even though the summary index only started collecting data at the start of this week when the KPI was created, if necessary you can use the backfill option to fill the summary index with data from the past month.

For an overview of the entire KPI creation workflow, see Overview of creating KPIs in ITSI.

Prerequisite

Prerequisite Description
Disable KPI alerting Before you backfill a KPI, disable KPI alerting. If KPI alerting is enabled when you backfill a KPI, ITSI can generate duplicate alerts. For more information about enabling and disabling KPI alerting, see Receive alerts when KPI severity changes in ITSI.
Indexed raw data requirements The backfill option requires you to have adequate indexed raw data for the backfill period you select.

Choose a backfill period

Backfill is a one-time operation. Once started, it cannot be redone or undone. For example, if you backfill 60 days of data and then later decide that you want 120 days, you cannot go back and change the backfill period. Think carefully about how many days of data you want to backfill before saving the service.

When you enable backfill, you must indicate how many days of data to backfill. You can choose a predefined time range like last 7 days, or select a custom date prior to the current date. If you choose a specific date, the dropdown dynamically updates with the number of days you're backfilling to.

The backfill period is the time range of data that is available after backfill is complete. For example, if you select last 30 days, ITSI fills the summary index with data from the past 30 days. In other words, you now have 30 days of KPI data available.

KPIs with a calculation window greater than 15 minutes can't be backfilled.

How backfill fills data gaps

If you backfill a KPI that uses Last available value to fill data gaps, the gaps are backfilled with filled-in alert values, using the last reported value for the KPI instead of N/A alert values. If you backfill a KPI that uses a Custom value to fill data gaps, data gaps are backfilled with filled-in alert values (using the custom value provided) instead of N/A alert values. For more information about the options for filling data gaps, see Configure KPI monitoring calculations in ITSI.

Determine whether backfill was successful

You must save the service to initiate the backfill. A message appears in Splunk Web that informs you when the backfill is complete.

ITSI supports a maximum of 60 days of data in the summary index. Therefore, after you configure backfill, you see one of the following messages:

  • Backfill is not available - More than 60 days of summary index data already exists.
  • Backfill has been configured for last <#> days of data - The backfill job is configured but hasn't run yet. It might not have run because you haven't saved the service yet.
  • Backfill completed for last <#> days - Backfill has completed successfully. This message only shows up until a total of 60 days of data is in the summary index, then it changes to Backfill is not available.

Next steps

After you enable backfill, move on to step 6: Configure KPI thresholds in ITSI.

Last modified on 21 June, 2024
Define KPI unit and monitoring lag in ITSI   Configure KPI thresholds in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters