Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.4.x will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Overview of creating KPIs in ITSI

A KPI (Key Performance Indicator) is a recurring saved search that returns the value of an IT performance metric, such as CPU load percentage, memory used percentage, response time, and so on.

ITSI lets you create KPIs and add them to your services. You can then use KPI search result values inside ITSI to monitor service health, check the status of IT components, and troubleshoot trends that might indicate an issue with your IT systems.

For example, cpu_load_percent is a KPI that measures the CPU load percentage on a server. If your organization has a site uptime guarantee of 99.9% per month, you will need to monitor the status of this KPI (and others) to ensure that CPU performance remains within acceptable parameters.

When you initially create a KPI search, you configure the following set of search properties:

Property Description Required?
Source search A search string that you define as the basis for your KPI, using a data model, ad hoc search, metrics search, or base search. Yes
Entity Split Field A field in your data that can be used to break down the KPI. This option lets you apply a KPI search to multiple entities, enabling comparative analysis of search results on a per-entity basis. This field can be different from the Entity Filter Field. Optional
Entity Filter Field Filter entities in or out of a KPI search. Optional
Monitoring calculations The recurring KPI search schedule and statistical operations on search results, including service health score calculations. Yes
Backfill Fills the summary index (itsi_summary) with historical raw service health score data. Optional
Severity-level thresholds Thresholds that you apply to KPI search results. Severity-level thresholds let you monitor KPI status (normal, low, medium, high, and critical) and set trigger conditions for alerts. Yes

For example, to monitor the CPU load percentage of an entity (machine) in a service, you can create a KPI using an ad hoc base search that returns the value of the field cpu_load_percent at 5 minute intervals over a 5 minute time range, then set a range of severity-level thresholds between 0% and 100%.

For a step-by-step guide to adding a KPI to a service, see Add a KPI to a service in ITSI. After you add a KPI to a service, you can perform other configuration tasks, like setting KPI importance values and applying anomaly detection.

See also

  1. Set KPI importance values in ITSI
  2. Create KPI threshold time policies in ITSI
  3. Detect anomalous KPI behavior in ITSI
Last modified on 04 March, 2020
How service health scores work in ITSI
Add a KPI to a service in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters