Enable backfill for a KPI in ITSI
Enable backfill for a KPI in IT Service Intelligence (ITSI) to fill the summary index with historical raw KPI data. A search runs in the background and populates the summary index with KPI data over the period you define, as it would have been populated at a regularly scheduled time by KPI saved searches. In other words, even though the summary index only started collecting data at the start of this week when the KPI was created, if necessary you can use the backfill option to fill the summary index with data from the past month.
For an overview of the entire KPI creation workflow, see Overview of creating KPIs in ITSI.
|Disable KPI alerting
|Before you backfill a KPI, disable KPI alerting. If KPI alerting is enabled when you backfill a KPI, ITSI can generate duplicate alerts. For more information about enabling and disabling KPI alerting, see Receive alerts when KPI severity changes in ITSI.
|Indexed raw data requirements
|The backfill option requires you to have adequate indexed raw data for the backfill period you select.
Choose a backfill period
Backfill is a one-time operation. Once started, it cannot be redone or undone. For example, if you backfill 60 days of data and then later decide that you want 120 days, you cannot go back and change the backfill period. Think carefully about how many days of data you want to backfill before saving the service.
When you enable backfill, you must indicate how many days of data to backfill. You can choose a predefined time range like
last 7 days, or select a custom date prior to the current date. If you choose a specific date, the dropdown dynamically updates with the number of days you're backfilling to.
The backfill period is the time range of data that is available after backfill is complete. For example, if you select
last 30 days, ITSI fills the summary index with data from the past 30 days. In other words, you now have 30 days of KPI data available.
KPIs with a calculation window greater than 15 minutes can't be backfilled.
How backfill fills data gaps
If you backfill a KPI that uses Last available value to fill data gaps, the gaps are backfilled with filled-in alert values, using the last reported value for the KPI instead of N/A alert values. If you backfill a KPI that uses a Custom value to fill data gaps, data gaps are backfilled with filled-in alert values (using the custom value provided) instead of N/A alert values. For more information about the options for filling data gaps, see Configure KPI monitoring calculations in ITSI.
Determine whether backfill was successful
You must save the service to initiate the backfill. A message appears in Splunk Web that informs you when the backfill is complete.
ITSI supports a maximum of 60 days of data in the summary index. Therefore, after you configure backfill, you see one of the following messages:
Backfill is not available- More than 60 days of summary index data already exists.
Backfill has been configured for last <#> days of data- The backfill job is configured but hasn't run yet. It might not have run because you haven't saved the service yet.
Backfill completed for last <#> days- Backfill has completed successfully. This message only shows up until a total of 60 days of data is in the summary index, then it changes to
Backfill is not available.
After you enable backfill, move on to step 6: Configure KPI thresholds in ITSI.
Define KPI unit and monitoring lag in ITSI
Configure KPI thresholds in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0