Configure deep dive lanes in ITSI
Configure metric, KPI, or event lanes in IT Service Intelligence deep dives to display search results and monitor your services.
Configure metric lanes in a deep dive in ITSI
Metric lanes in IT Service Intelligence (ITSI) deep dives display search results for a user-defined data model or ad hoc search. When you add a new metric lane to the deep dive, you configure a new data model or ad hoc search.
Prerequisites
- You must have the write_itsi_deep_dive capability to add a swim lane to a deep dive. By default, the itoa_admin, itoa_team_admin, and itoa_analyst roles are assigned this capability.
- Read and write access to services and KPIs is controlled by team permissions. When adding a new swim lane, you can only select from services to which you have read access. You cannot perform bulk actions on lanes for which you do not have read access.
Steps
- In the deep dive, select Add Lane > Add Metric Lane.
- Configure your new metric lane.
Field Description Title The title for your new metric lane. Subtitle (optional) Additional info about your search, service, and so on. Graph Type Line, Area, or Column. Graph Color The color for your metric lane graph. Lane Size Small, Medium, or Large. Search Type Ad hoc: Type your custom search string in the Search field. Data Model: Select a data model and an aggregation operation. Add a Where clause that maps the data model search field to entity alias values (optional). For example, dest=myserver.com
. - Click Create Lane. Your new metric lane appears in the deep dive.
- Select the Primary Time Range for your metric lane. The selected primary time range applies to all lanes in the deep dive.
Configure KPI lanes in a deep dive in ITSI
KPI lanes in IT Service Intelligence (ITSI) deep dives display search results for existing KPIs in your services. KPI lanes also provide the option of running searches against the KPI summary index, which can accelerate search times.
Prerequisites
- You must have the write_itsi_deep_dive capability to add a swim lane to a deep dive. By default, the itoa_admin, itoa_team_admin, and itoa_analyst roles are assigned this capability.
- Read and write access to services and KPIs is controlled by team permissions. When adding a new swim lane, you can only select from services to which you have read access. You cannot perform bulk actions on lanes for which you do not have read access.
Create a KPI lane
- In the deep dive, select Add Lane > Add KPI Lane.
- Configure your new KPI lane.
Field Description Title The title for your new KPI lane. Subtitle (optional) Additional info about your search, service, and so on. Graph Type Line, Area, or Column. For count-based KPIs, choose Column to display discreet numeric values without interpolation. Graph Color The color for your KPI lane graph. Lane Size Adjust the lane height for easier viewing and analysis. Service The service containing the KPI you want to display. KPI The specific KPI you want to display. Accelerate Using KPI Summary By default, all KPI searches are run against the itsi_summary index, which increases search speeds. Select No if you want to switch from itsi_summary index search to raw search. This option is disabled for KPI searches with calculation windows of 24 hour or more. - Click Create Lane. Your new KPI lane appears in the deep dive.
Configure threshold options for a KPI lane
You can display KPI status as either a graph against horizontal color bands that represent threshold severity levels, or as discreet vertical color blocks that represent the severity level over a given unit of time. Threshold view options apply to KPI lanes only.
The following example shows the difference between level and state indication:
Steps
- Click the gear icon in the KPI lane and select Threshold Options.
- Set Enable Threshold Indication to Yes.
- Choose a threshold indication type:
Field Description Level Indication Displays thresholds as horizontal bands. State Indication Displays thresholds in distinct time blocks.
State indication shows the aggregate KPI status for KPIs that are split by entity.
- (Optional) If you chose state indication, enable Hide Graph to show severity-level thresholds in distinct time blocks without the line graph.
- Click Done.
After you configure your threshold options, you can use the Bulk Actions menu to show or hide thresholds for selected lanes.
Configure graph rendering options for a KPI lane
Graph rendering options determine how a KPI's results are displayed in a swimlane. While the rendering options are set to reasonable defaults, you can alter them depending on the type of data you're analyzing.
To access the graph rendering options for a KPI lane:
- Click the gear icon in the KPI lane and select Graph Rendering Options.
- Configure the following options:
Vertical Axis Scale
The vertical axis scale determines the scale of the y-axis of your KPI swimlane. On a linear scale the value between any two data points never change. A logarithm is based on exponents, so on a logarithmic scale the value between two points changes in a particular pattern.
Option | Description |
---|---|
Linear | The scale for deep dive swim lanes. Use linear scale if your data stays within a relatively reasonable boundary of values. |
Logarithmic | Useful for datasets with very high numbers and very low numbers. If you want to see the behavior of the low numbers without them being overshadowed by the high numbers, use a logarithmic scale. |
Vertical Axis Boundary
The vertical axis scale determines the starting and ending boundaries of the Y-axis of a KPI lane. Because deep dives are meant to compare the behavior of many metric time series to each other, the default is Data Extent.
Option | Description |
---|---|
Data Extent | Data Extent means that the lowest value in your data will be the lowest value of the Y-axis and the highest value of your data will be the highest value of the Y-axis. For example, if the lowest value in your data set is 23 and the highest is 50, the Y-axis will span from 23 to 50.
|
Zero Extent | Zero Extent is the same as Data Extent except it includes a minimum value of zero. For example, even if your data ranges from 23 to 50, the Y-axis boundary will be from zero to 50. Similarly, if your data ranges from -50 to -27, the Y-axis will range from -50 to zero. Zero extent is useful for datasets that don't have a lot of large numbers or variability. |
Static | Configure your own Y-axis boundaries depending on your use case. For example, if your KPI value is a percentage, change the vertical axis boundary to a minimum value of 0 and a maximum value of 100. |
Graph Data Gaps
This setting determines how the deep dive displays gaps in your data. It's important to note that a "gap" doesn't necessarily mean data was missed.
When set to Connected, the deep dive essentially interpolates the data between the actual KPI data points collected at regular intervals. For example, your KPI search might be configured to run every five minutes, but deep dives by default display data for every few seconds. ITSI essentially draws a line between those two data points to connect them and fill in the "missed" five minutes. The following image shows a lane with connected data gaps:
When set to Gaps, the deep dive removes this interpolation and instead fills data gaps with gray boxes. For count-based KPIs, you can use this setting to see the discreet data points corresponding to the counts coming in. The following image shows a lane displaying data gaps:
Configure event lanes in a deep dive in ITSI
Event lanes in IT Service Intelligence (ITSI) deep dives display the number of occurrences of a specific event type over time. For example, an event lane might show the number of times an error
appears in your data. Light bands represent times where there are no events, and dark bands represent times when there were one or more events. Event lanes also let you drill down to a Splunk search and view all events in a selected time bucket directly inside the deep dive.
The following deep dive shows an example of how event lanes can help you troubleshoot outages. As database service errors start coming in, the Database Service Response Time KPI begins to degrade, soon after which the entire service health score drops. Clicking an event band displays the actual associated events to give you more information about the outage:
Prerequisites
- You must have the write_itsi_deep_dive capability to add a swim lane to a deep dive. By default, the itoa_admin, itoa_team_admin, and itoa_analyst roles are assigned this capability.
- Read and write access to services and KPIs is controlled by team permissions. When adding a new swim lane, you can only select from services to which you have read access. You can't perform bulk actions on lanes for which you don't have read access.
Steps
- In the deep dive, select Add Lane > Add Event Lane.
- Configure your new event lane.
Field Description Title The title for your new event lane. Subtitle (optional) Additional info about your search and service. Graph Color The color for your event lane graph. Lane Size Adjust the size of the lane for easier viewing and analysis. Event Search The event search to display in the lane. For example, a search for Windows security events might be: index=itsidemo sourcetype=wineventlog:security
Event searches can't contain reporting search commands, such as
stats
andtimechart
. - Click Create Lane. Your new event lane appears.
Overview of deep dives in ITSI | Configure the KPI aggregation metric in a deep dive in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!