Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.3.x will no longer be supported as of July 17, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Aggregate versus maximum severity KPI values in ITSI

Use the KPI Value dropdown at the top of the Service Analyzer to change the way KPI values are presented in the Service Analyzer.



Aggregate is the default view in Service Analyzer. It shows the most recent value of the KPI as defined in the KPI calculation settings in the service definition. An example of the calculation settings for a KPI called "Storage Free Space: %" is shown below.


In this example, the Service/Aggregate Calculation is set to report on the average percentage of free space across all contributing entities. This average is the value that is displayed when "KPI Value: Aggregate" is selected in Service Analyzer.

Max Severity

The Max Severity view shows the worst performing value for the KPI. This value is either the value of the worst performing entity for the KPI, or -- if the aggregated value of all contributing entities is worse than the value of any single contributing entity -- the aggregated value of all contributing entities. Using Max Severity KPI values can help you identify which KPI is affecting the service health score of a service the most.

For the example above, if "KPI Value: Max Severity" is selected in Service Analyzer, the KPI for Storage Free Space: % will show the value of the worst performing entity if any of the entity values is worse than the Service/Aggregate value.

If a KPI is not split by entity, the Aggregate and Max Severity values for the KPI are the same.

Example of the difference between using aggregate KPI value vs. max severity

For example, let's say you have a Database service that contains the KPI "Storage Free Space: %". This KPI is split by entity and there are three entities (hosts): mysql-01, mysql-02, and mysql-03.

Agg threshold2.png

Because it is critical to know if any host is running low on disk space, you have set entity thresholds to be more sensitive than the aggregate thresholds in the service definition as shown below.


In this scenario, the mysql-02 host is running critically low on disk space. The Database service is showing a high severity level (orange) on the Service Analyzer. You want to know which KPIs are responsible for the low health score.

Using the Aggregate KPI view, the Storage Free Space: % KPI could be green even though the mysql-02 host is critically low on disk space. This is because when the value of mysql-02 is aggregated with the value of the other two hosts (entities), the value is still within the normal threshold that was set in the aggregate thresholds for the KPI.

If you switch to the Max Severity KPI view, the KPI shows the value of the worst performing entity rather than an aggregated value. Therefore, the KPI switches from green to red (critical) and the value of the KPI changes to reflect the alert value for mysql-02.

Now that you've identified the KPI that is most likely responsible for the degraded health score of the Database service, you can click the KPI tile to see which entity for the Storage Free Space: % KPI is lowest on disk space (mysql-02 in this example).

Last modified on 29 August, 2019
Create a custom service analyzer view in ITSI
Investigate a service with poor health in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters