Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.4.x will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Add and modify deep dive swim lanes ITSI

Swim lanes are the individual metric rows within a deep dive. You can stack multiple swim lanes to do a side-by-side comparison of metrics across your services. Deep dives support the following lane types:

Lane type Description
Metric lane Display search results for a user-defined data model or ad hoc search. When you add a new metric lane to the deep dive, you can configure a new data model or ad hoc search.
KPI lane Display search results for existing KPIs in your services. KPI lanes also provide the option of running searches against the KPI summary index, which can accelerate search times.
Event lanes Display the number of occurrences of a specific event type over time. For example, an event lane might show the number of times an error appears in your data. Event lanes also let you drill down to Splunk search and view all events in a selected time bucket directly inside the deep dive.

There are several ways to add new lanes to your deep dive, including:

  • Create new lanes using the Add Lane menu in the deep dive
  • Add KPI lanes from the topology tree sidebar within the deep dive
  • Click on a KPI in a different ITSI context, such as Service Analyzer or a glass table.

When you drill down to a deep dive from a different ITSI context, such as the Service Analyzer, the generated deep dive is considered an "unnamed" deep dive. If you add a new lane to it, the lane is automatically saved into the deep dive without having to click Save.

Prerequisites

  • You must have the write_itsi_deep_dive capability to add a swim lane to a deep dive. By default, the itoa_admin, itoa_team_admin, and itoa_analyst roles are assigned this capability.
  • Read and write access to services and KPIs is controlled by service-level permissions. When adding a new swim lane, you can only select from services to which you have read access. You cannot perform bulk actions on lanes for which you do not have read access.

Add a new metric lane

  1. In the deep dive, select Add Lane > Add Metric Lane.
  2. Configure your new metric lane.
    Field Description
    Title The title for your new metric lane.
    Subtitle (optional) Additional info about your search, service, and so on.
    Graph Type Line, Area, or Column.
    Graph Color The color for your metric lane graph.
    Lane Size Small, Medium, or Large.
    Search Type Ad hoc: Type your custom search string in the Search field.
    Data Model: Select a data model, then select the aggregation operation. Add a Where clause that maps the data model search field to entity alias values (optional). For example, dest=myserver.com.
  3. Click Create Lane. Your new metric lane appears in the deep dive.
  4. Select the Primary Time Range for your metric lane. The selected primary time range applies to all lanes in the deep dive.

Add a new KPI lane

  1. In the deep dive, select Add Lane > Add KPI Lane.
  2. Configure your new KPI lane.
    Field Description
    Title The title for your new KPI lane.
    Subtitle (optional) Additional info about your search, service, and so on.
    Graph Type Line, Area, or Column.
    Graph Color The color for your KPI lane graph.
    Lane Size Small, Medium, or Large.
    Service The service that contains the KPI you want to display in the lane.
    KPI The specific KPI you want to display.
    Accelerate Using KPI Summary By default, all KPI searches are run against the itsi_summary index, which increases search speeds. Select No if you want to switch from itsi_summary index search to raw search. This option is disabled for KPI searches with calculation windows of 24 hour or more.
  3. Click Create Lane. Your new KPI lane appears in the deep dive.

Tip: If your KPI is a percentage, click the gear icon for the KPI lane and select Graph Rendering Options. Change Vertical Axis Boundary to Static with a Min Value of 0 and a Max Value of 100.

Tip: For count based KPIs, to see discreet numeric values without interpolation, click the gear icon for the KPI lane and select Edit Lane and change Graph Type from Line to Column. You can also click the gear icon and select Graph Rendering Options. Change Graph Data Gaps from Connected to Gaps to see the discreet data points that correspond to the counts coming in.

Add a new event lane

  1. In the deep dive, select Add Lane > Add Event Lane.
  2. Configure your new event lane.
    Field Description
    Title The title for your new event lane.
    Subtitle (optional) Additional info about your search and service.
    Graph Color The color for your event lane graph.
    Lane Size Small, Medium, or Large.
    Event Search The event search that you want to display in the lane. Event searches cannot contain reporting search commands, such as stats and timechart.
  3. Click Create Lane. Your new event lane appears.

Set lane threshold options

You can set threshold view options to display KPI status as either a graph against color bands that represent threshold severity levels, or as discreet color blocks that represent the severity level over a given unit of time. Threshold view options apply to KPI lanes only.

  1. Click the gear icon in the KPI lane and select Threshold Options.
  2. Set Enable Threshold Indication to Yes.
  3. Select a Threshold Indication Type:
    Field Description
    Level Indication Shows severity-level thresholds as horizontal bands behind the graph.
    State Indication Shows severity-level thresholds in distinct time blocks behind the graph.

    Threshold state indication shows aggregate KPI status for KPIs that are split by entity.

  4. (Optional) Enable Hide Graph to show severity-level thresholds in distinct time blocks without the line graph.
  5. Click Done.

After you configure your threshold options, you can use the Bulk Actions menu to show or hide thresholds for selected lanes.

Last modified on 30 April, 2020
PREVIOUS
Overview of deep dives in ITSI 		  NEXT
Compare search results from different time ranges in an ITSI deep dive

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters