Splunk® IT Service Intelligence

Service Insights Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence (ITSI) version 4.11.x reached its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
Acrobat logo Download topic as PDF

Add a predictive model to a glass table in ITSI

You can add predictive models to glass tables as ad hoc search visualizations. This lets you actively monitor service health and troubleshoot imminent issues before they impact your services.

Ad hoc searches are not optimized because each visualization runs its own individual search. Thus, the loading time for your glass table visualization is proportional to the number of predictive model visualizations you add.

Prerequisite

  • You must have a trained model saved into the service definition. For more information, see Train a predictive model in ITSI.
  • Select Configuration > Services, and select a service. Make sure you're on the Predictive Analytics tab within the service.

Steps

  1. Within the service, click on the Predictive Analytics tab and select the model under Test a Model.
  2. Click the magnifying glass in the Predicted Average Case Service Health Score or Predicted Worst Case Service Health Score panel to open the predictions in the Search app.

    The search is the same whether you select average or worst case.

  3. Copy the search string.
  4. Open your glass table in Edit mode.
  5. Select the data icon Data icon. and click Create Ad hoc search.
  6. Paste the copied search string into the Search with SPL box. Click Run & Save.
  7. Select the ad hoc search you created to add it to the glass table. This will add a new ad-hoc visualization to the glass table.
  8. Note:By default, the global time range picker sets the time range for all visualizations. Alternatively, you can add additional inputs to set custom time ranges on a per-visualization basis. See [http://docs.splunk.com/Documentation/ITSI/4.11.5/SI/Visualizations#Set_different_time_ranges_for_visualizations Set different time ranges for visualizations].

  9. After adding the ad-hoc visualization, click Source to access the source editor. Update the trend section under encoding, and update the primary[0] input to your desired threshold setting. Type primary.next30m_avg_hs to display the average prediction, or primary.next30m_worst_hs to display the worst case prediction.
  10. (Optional) Add color thresholding to predictive analytics visualizations:
    1. (Optional) Select a data field to pull search values from by clicking the Selected Data Field dropdown menu. By default, the first numeric data field is selected.
    2. Apply dynamic color thresholds using the Coloring section in the Configuration panel. For more information, see Configuration options for single value and single value icon visualizations.
  11. (Optional) Add a drilldown to the Predictive Analytics dashboard:
    1. Select the visualization.
    2. In the Configuration panel, select Add Drilldown.
    3. For On Click, choose the Link to custom URL option.
    4. In a separate ITSI window, navigate to Dashboards > Predictive Analytics.
    5. Select the service and corresponding model to display the health score prediction.
    6. Copy the URL and paste it into the URL field in the Configuration panel.
    7. Edit the URL from auto_load=false to auto_load=true to automatically load all of the dashboard panels.
  12. Select a visualization type in the Configuration panel. You cannot use the sparkline or trending value visualization types because the prediction is a static value.
  13. Click Save.

For more information about ad hoc search visualizations, see Add an ad hoc search visualization.

Last modified on 28 April, 2023
PREVIOUS
Create an alert for potential service degradation in ITSI
  NEXT
Retrain a predictive model in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters