Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

How service health scores work in ITSI

ITSI generates a health score for each service that you create. The health score is a good indicator of the status of a service and is a useful metric to display in Service Analyzer, glass tables, and deep dives. A decline in service health score can be the first sign of an issue that might lead to an outage. ITSI continuously monitors and updates service health scores.

Service health score calculations

Service health scores range from 0 to 100, with 0 being most critical and 100 being most healthy. The health score calculation is based on the current severity level of service KPIs (Critical, High, Medium, Low, and Normal) and the weighted average of the importance values of all KPIs in a service. For more information, see Set KPI importance values in ITSI.

The Info severity level is not included in the service health score calculation.

ITSI does not directly use KPIs or health scores of dependent services to calculate a service's health score. Service health scores are calculated based on the score_contribution value for each severity level. Score contribution values are defined in threshold_labels.conf. Do not modify these values.

For example, a service contains 2 KPIs. One KPI is Critical, so the score_contribution value is 0. The other KPI is Normal, so the score_contribution value is 100. Assuming both KPIs have the same importance values, the service health score will be 50.

The following formula is used to calculate service health scores:
SHS.png
Where:

    • N = count of KPIs
    • G = importance value of one KPI
    • K = the score contribution of the KPI (Normal=100, Low=70, Medium=50, High=30, Critical=0)

For example, if you set KPI importance values as follows: KPIImportanceValues.png

The service health score is calculated as follows:

Service health score = (100 ∗ 10/22) + (70 ∗ 7/22) + (30 ∗ 5/22) = 45.45 + 22.27 + 6.81 = 74.53

Impact of per-entity thresholds on service health scores

When a KPI is split by entity, if any entity has a severity level (based on entity thresholds) that is worse than the service aggregate severity, the service health score will be impacted. In some cases, this can cause the overall service health score to change significantly, while the aggregate KPI severity level changes only marginally or not at all.

For example, if you have a CPU % utilization KPI that is running against three entities, and 2 of those entities show normal severity, while the third shows critical, the overall service health score might show critical, while the aggregate KPI severity level remains normal.

Impact of service dependencies on service health scores

Any service dependencies that you add to a service will impact the service health score, based on the importance value that you set for dependent service KPIs. For more information, see Set importance values for service dependencies in this manual.

PREVIOUS
Bulk import services in ITSI
  NEXT
Overview of configuring KPIs in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1


Comments

Hi Dieter, we used to allow the user to exclude entity-level threshold values from health score calculations, but not anymore. If per-entity thresholds are enabled for a KPI, it will pick up the max value among all for the health score calculation.

Esnyder splunk, Splunker
January 3, 2019

Is there a way to prevent impact of per-entity thresholds on service health scores? I have 2 servers with a VIP in front of it. If one of the servers goes down the service is still reachable for the end users. So the entity should go to critical, and the aggregated KPI score goes to medium. This works as expected. But I don't want my service score to go to critical.

Dietercools
December 19, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters