Split and filter a KPI by entities in ITSI
Split a KPI by entities in IT Service Intelligence (ITSI) to monitor each individual entity against which the KPI search runs. You can also filter a KPI by service entities to reduce collection of extraneous data by only running the KPI search against a specific service's entities. Splitting and filtering gives you more granular control of your KPI at the entity level.
Entity rule best practices
Entity rules within a service ensure that you dynamically filter to the entities that matter in your environment. Use entity rules that are prescriptive enough that you catch the entities you care about for that service. If you're matching service-level entity rules to tens and thousands of entities, it can be difficult to monitor the entities you're interested in, which can slow internal operations.
ITSI doesn't limit the number of matching entities for a service. Be mindful of the performance implication when you have a lot of entities matched for a single service.
Split a KPI by entity
The Split by Entity option lets you maintain a breakdown of KPI values at the entity level. Split KPI results by a specific entity to monitor each individual entity against which a KPI is running.
You must split KPIs by entity to use the following ITSI features:
- Per-entity thresholds. See Set per-entity threshold values.
- Entity overlays. See Add entity and anomaly overlays to a deep dive.
- Maximum severity view in the Service Analyzer. See Aggregate versus maximum severity KPI values in ITSI in the ITSI Service Insights Manual.
- Cohesive anomaly detection. See Apply anomaly detection to a KPI in ITSI.
- Split by multiple entity aliases. See information about the Entity Split Field in the table below.
Configure the following fields:
|Split by Entity||Enable a breakdown of KPI values at the entity level. The KPI must be running against two or more entities.|
|Entity Split Field||The field(s) in your data to use to look up the corresponding split by entities. You can specify up to 3 fields for ad-hoc and shared base searches. The default lookup field for data model searches and ad hoc searches is |
When filtering a KPI down to entities, you can split by a field other than the field you're using for filtering the entities (specified in the Entity Filter Field). This lets you filter to the hosts that affect your service, but split out your data by a different field. For example, you might want to filter down to all of your database hosts but split the metric by the processes running on the hosts.
Note: You generate pseudo entities if you split by entity but the entity split field isn't matched in the entity lookup. Pseudo entities are displayed with a
Filter a KPI by service entities
Entity filtering lets you specify the service entities against which a KPI search runs. Provide an entity filter field to reduce collection of extraneous data. For example, if you enable entity filtering for a KPI in the Online Sales service, only entities assigned to the Online Sales service are used to calculate the KPI search metrics.
Note: Entities are assigned to service through entity rules. For more information, see Define entity rules for a service in ITSI.
|Filter to Entities in Service||Enable or disable entity filtering. To filter to entities in a service, the service must have associated entities. If the service does not have associated entities, an error message appears.|
|Entity Filter Field||The entity alias field name already defined within each entity that will be used to create a |
After you configure entity split and filter fields, move on to step 3: Configure KPI monitoring calculations in ITSI.
Define a KPI source search in ITSI
Configure KPI monitoring calculations in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1