Split and filter a KPI by entities in ITSI
Split a KPI by entities in IT Service Intelligence (ITSI) to monitor each individual entity against which the KPI search runs. You can also filter a KPI by service entities to reduce collection of extraneous data by only running the KPI search against a specific service's entities. Splitting and filtering gives you more granular control of your KPI at the entity level.
Entity rule best practices
Entity rules within a service ensure that you dynamically filter to the entities that matter in your environment. Use entity rules that are prescriptive enough that you catch the entities you care about for that service. If you're matching service-level entity rules to tens and thousands of entities, it can be difficult to monitor the entities you're interested in, which can slow internal operations.
ITSI doesn't limit the number of matching entities for a service. Be mindful of the performance implication when you have a lot of entities matched for a single service.
Split a KPI by entity
The Split by Entity option lets you maintain a breakdown of KPI values at the entity level. View KPI results by a specific entity to monitor each individual entity against which a KPI is running.
You must split KPIs by entity to use the following ITSI features:
- Per-entity thresholds. See Set per-entity threshold values.
- Entity overlays. See Add entity and anomaly overlays to a deep dive.
- Maximum severity view in the Service Analyzer. See Aggregate versus maximum severity KPI values in ITSI in the ITSI Service Insights Manual.
- Cohesive anomaly detection. See Apply anomaly detection to a KPI in ITSI.
- Split by multiple entity aliases. See information about the Entity Split Field in the table below.
Configure the following fields:
|Split by Entity
|Enable a breakdown of KPI values at the entity level. The KPI must be running against two or more entities.
|Entity Split Field
|The field(s) in your data to use to look up the corresponding split by entities. You can specify up to 3 fields for ad-hoc and shared base searches. The default lookup field for data model searches and ad hoc searches is
host. For metrics searches, select a dimension associated with the metric. This field is case sensitive.
When filtering a KPI down to entities, you can split by a field other than the field you're using for filtering the entities (specified in the Entity Filter Field). This lets you filter to the hosts that affect your service, but split out your data by a different field. For example, you might want to filter down to all of your database hosts but split the metric by the processes running on the hosts.
Note: You generate pseudo entities if you split by entity but the entity split field isn't matched in the entity lookup. Pseudo entities are displayed with a
Filter a KPI by service entities
Entity filtering lets you specify the service entities against which a KPI search runs. Provide an entity filter field to reduce collection of extraneous data. For example, if you enable entity filtering for a KPI in the Online Sales service, only entities assigned to the Online Sales service are used to calculate the KPI search metrics.
Note: Entities are assigned to service through entity rules. For more information, see Define entity rules for a service in ITSI.
|Filter to Entities in Service
|Enable or disable entity filtering. To filter to entities in a service, the service must have associated entities. If the service does not have associated entities, an error message appears.
|Entity Filter Field
|The entity alias field name already defined within each entity that will be used to create a
fieldname=value filter. The filter is applied as a suffix sub-search to the main KPI search. You can only filter to alias fields defined in entities, not the entity title. For metrics searches, select a dimension for the metric. The default field for data model searches, ad hoc searches, and metrics searches is
host. This field can be different than the field used for the Entity Split Field.
After you configure entity split and filter fields, move on to step 3: Configure KPI monitoring calculations in ITSI.
Define a KPI source search in ITSI
Configure KPI monitoring calculations in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0