Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

How service health scores work in ITSI

ITSI generates a health score for each service that you create. The health score is a good indicator of the status of a service and is a useful metric to display in Service Analyzer, glass tables, and deep dives. A decline in service health score can be the first sign of an issue that might lead to an outage. ITSI continuously monitors and updates service health scores.

Service health score calculations

Service health scores range from 0 to 100, with 0 being most critical and 100 being most healthy. The health score calculation is based on the current severity level of service KPIs (Critical, High, Medium, Low, and Normal) and the weighted average of the importance values of all KPIs in a service. For more information, see Set KPI importance values in ITSI.

The Info severity level is not included in the service health score calculation.

ITSI does not directly use KPIs or health scores of dependent services to calculate a service's health score. Service health scores are calculated based on the score_contribution value for each severity level. Score contribution values are defined in threshold_labels.conf. Do not modify these values.

For example, a service contains 2 KPIs. One KPI is Critical, so the score_contribution value is 0. The other KPI is Normal, so the score_contribution value is 100. Assuming both KPIs have the same importance values, the service health score will be 50.

The following formula is used to calculate service health scores:
SHS.png
Where:

    • N = count of KPIs
    • G = importance value of one KPI
    • K = the score contribution of the KPI (Normal=100, Low=70, Medium=50, High=30, Critical=0)

For example, if you set KPI importance values as follows: KPIImportanceValues.png

The service health score is calculated as follows:

Service health score = (100 ∗ 10/22) + (70 ∗ 7/22) + (30 ∗ 5/22) = 45.45 + 22.27 + 6.81 = 74.53

Impact of per-entity thresholds on service health scores

When a KPI is split by entity, if any entity has a severity level that's worse than the service aggregate severity, the service health score is impacted. K in the equation above represents the score contribution of a KPI. However, if the KPI is split by entity, the worst entity is taken as the score contribution. Therefore, while the aggregate KPI score might be 100 (Normal), one of the entities within that KPI might be 30 (High), so the overall score contribution of that KPI will be 30.

In some cases, entity severity contributions can cause the overall service health score to change significantly, while the aggregate KPI severity level changes only marginally or not at all. For example, if you have a CPU % utilization KPI that is running against three entities, and two of those entities show normal severity, while the third shows critical, the overall service health score might show critical, while the aggregate KPI severity level remains normal.

For more information about per-entity thresholds, see Set per-entity threshold values in the KPI configuration workflow.

Impact of service dependencies on service health scores

Any service dependencies that you add to a service will impact the service health score, based on the importance value that you set for dependent service KPIs. For more information, see Set importance values for service dependencies in this manual.

Last modified on 23 January, 2020
PREVIOUS
Clone a service in ITSI 		  NEXT
Overview of configuring KPIs in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2

Comments

Hi Satya, thanks for the feedback. We don't support per-entity health scores. The health score is only relevant in the service context. The individual entities contribute to the overall service's health. KPIs monitor that health and report a health score.

Esnyder splunk, Splunker
December 9, 2019

Splunk Team ,
This is just a thought , as I see how valuable the information is, and the visual affect. Due to this ,most of are in 2 minds. So, would request you to reconsider alternatives.

How about adding an option on Per entity ( Applicable for Health Score?)
If checked then only use it calculation - if not use it for Display.i.e Un Check = Not Setup.


Satya

Satyab
December 9, 2019

Hi Dieter, we used to allow the user to exclude entity-level threshold values from health score calculations, but not anymore. If per-entity thresholds are enabled for a KPI, it will pick up the max value among all for the health score calculation.

Esnyder splunk, Splunker
January 3, 2019

Is there a way to prevent impact of per-entity thresholds on service health scores? I have 2 servers with a VIP in front of it. If one of the servers goes down the service is still reachable for the end users. So the entity should go to critical, and the aggregated KPI score goes to medium. This works as expected. But I don't want my service score to go to critical.

Dietercools
December 19, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters