Splunk® IT Service Intelligence

Service Insights Manual

Add data sources to glass tables in ITSI

The dataSources section of the glass table definition in IT Service Intelligence (ITSI) defines the data that powers each visualization. The ds.test data source is used for sample data and the ds.search data source is used for ad hoc searches.

Most of the data source configuration is automated when you create KPI visualizations, ad hoc searches, and charts in the visual editor. For more information about adding visualizations, see Add visualizations to glass tables in ITSI.

ds.test

The ds.test data source is for sample data and is structured by calling the dataSources module followed by the name you provide for the search, the data source type, options, data, and column values and fields.

Expand the following sections to see the structure and an example of ds.test:

ds.test structure

The following code sample shows the structure of ds.test.

"dataSources": {
    "<search_name>": {
        "type": "ds.test",
        "options": {
              "data": {
                 "columns": [
                        [
                            "1",
                            "2",
                            "3",
                            "4",
                            "5",
                            "6",
                            "7",
                            "8"
                        ],
                        [
                            "1",
                            "2",
                            "3",
                            "4",
                            "5",
                            "6",
                            "7",
                            "8"
                        ]
                    ],
                  "fields": [
                        {
                            "name": "foo"
                        },
                        {
                            "name": "bar"
                        }
                    ]
                },
                "meta": {}
            }
        },

ds.test example

The following code sample shows an example of ds.test.

"dataSources": {
       "test_search": {
          "type": "ds.test",
          "options": {
		"data": {
			"columns": [
			   [
			      "splunkd",
			      "splunkd_ui_access",
			      "splunkd_access",
			      "splunk_web_access",
			      "scheduler",
			      "splunk_web_service"
			     ],
			     [
		                "600",
				"525",
				"295",
				"213",
				"122",
				"19"
			      ],
			      [
				 "87.966380",
				 "50.381304",
				 "60.023780",
				 "121.183272",
				 "70.250513",
				 "90.194752"
				]
                                     ],
                                 "fields": [
				{
				  "name": "sourcetype"
						},
						{
						  "name": "count",
						  "type_special": "count"
						},
						{
						   "name": "percent",
						   "type_special": "percent"
						}
				        ]
				},
				"meta": {}
			},

ds.search

The ds.search data source is for ad hoc searches. It's structured by calling the dataSources module followed by the name you provide for the search, the data source type, and any options you want to make available. The only option that is required to return events is the query option, which is an SPL search.

All KPI and ad hoc search visualizations are of type ds.search. For more information, see Add a KPI visualization and Add an ad hoc search visualization.

The following snippet shows the structure of ds.search:

"dataSources": {
       "<search_id>": { 
              "type": "ds.search",
              "name": "<search_name>",
              "options": {},
              "meta": {}
            }
      }
},

The following snippet shows an example of ds.search for a KPI visualization:

"dataSources":{
   "ds_qoxtTg6k":{
      "type":"ds.search",
      "name":"test_service - test_service KPI 1",
      "options":{
         "query":"`get_full_itsi_summary_kpi(544bb528161b0decad02ad69)` `service_level_kpi_only` | timechart cont=false latest(alert_value) AS alert_value, latest(alert_color) AS alert_color"
      },
      "meta":{
         "kpiID":"544bb528161b0decad02ad69",
         "serviceID":"d1b1e040-fa2e-4f28-bc7b-b618f3b91afe"
      }
   }
},

The following snippet shows an example of ds.search for an ad hoc search visualization:

"dataSources": {
      "ds_qoxtTg6k": {
          "type": "ds.search",
          "name": "Search_1",
          "options": {
              "query": "index=_internal \n| stats count(log_level),
          }
      }
},

Change the glass table refresh interval

Configure the refresh rate to determine how often the visualizations on your glass table refresh. The global refresh interval, 1 minute by default, applies to all visualizations on your glass table. In the source editor, each visualization has the "refresh": "$RefreshRate$" setting by default.

Use the Refresh Rate dropdown menu to select a global refresh interval:

RefreshRate.png

Set the refresh rate of individual visualizations

To change the refresh rate of a single visualization, perform the following steps:

  1. Click sourceUDFsource.png and locate the search string of the visualization's data source within the dataSource section.
  2. Configure the refresh setting. Format the refresh interval in seconds. For example, "refresh": "300s".

The following visualization refreshes every 30 minutes, or 1800 seconds ("1800s"):

"dataSources": {
		"ds_qoxtTg6k": {
			"type": "ds.search",
			"name": "Search_3",
			"options": {
				"query": "index=buttercupgo_events | head 500",
				"queryParameters": {
					"latest": "now",
					"earliest": "-3600s"
				},
				"refresh": "1800s",
				"refreshType": "delay"
			}
		},
}
Last modified on 28 April, 2023
Configure the layout of glass tables in ITSI   Add visualizations to glass tables in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1, 4.19.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters