Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.4.x will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Add overlays to a deep dive in ITSI

Overlays in a deep dive can show you more detailed information about a KPI that is not always obvious from the aggregate KPI value. Entity overlays let you see how specific entities are performing relative to others and to the aggregate value. Anomaly overlays let you see statistical outliers in KPI search results.

Add entity overlays

Entity overlays show KPI search results for individual entities over the aggregate search results in a KPI lane. You can use entity overlays to compare how individual entities are performing relative to other contributing entities, and to the aggregate KPI value. For details on how to configure KPIs for entity overlay, see Use Split by Entity in the ITSI Installation and Configuration Manual.

  1. Click the gear icon in the KPI lane and select Lane Overlay Options.
  2. Click Yes to enable overlays.
  3. Select an Overlay Selection Mode.
    Field Description
    Static Choose the specific entities to show as lane overlays.
    Dynamic Lets ITSI automatically render the three worst performers as lane overlays.
  4. Click Save. The entity overlays appear in the KPI lane.

Drilldown to OS host details

The ITSI Operating System (OS) module provides pre-configured KPIs that let you drilldown from entity overlays to the OS Host Details dashboard.

Make sure that you are using a KPI provided by the OS module in the service creation workflow. The OS module pre-populates services with specific entity rules and pre-builts KPIs.

  1. Add an entity overlay as shown in the previous section.
  2. Click on the entity overlay graph to display the drilldown menu.
  3. Select OS Host Details to open the OS Host Details dashboard inside Splunk.

For more information, see About the Operating System module in the Splunk IT Service Intelligence Modules manual.

Add individual entity lanes

You can view all entities contributing to a KPI in individual entity lanes. Breaking out entities into individual lanes makes it easier to compare KPI values for each entity with the aggregate KPI value.

  1. Click in the KPI lane and select Add Overlay as Lane.
    All entity overlays in the KPI lane appear in individual lanes.
  2. Click the gear icon in one of the entity lanes and select Threshold Options.
  3. Click Yes to enable threshold indication, then select the threshold type (level or state). The entity lane edit menu provides additional options for customizing the appearance of entity lanes.
  4. Click Done.
    After you add individual entity lanes, you can use the Bulk Actions menu to hide entity overlays in the parent KPI lane, or disable entity overlays from the "Lane Overlay Options" in the parent KPI lane edit menu.

Add anomaly overlays

ITSI provides anomaly detection algorithms that detect statistical outliers in KPI search results. Anomaly overlays let you view these outliers and track anomalous trends in your KPI data.

For more information, see Detect anomalous KPI behavior in ITSI in the Administer IT Service Intelligence manual.

  1. Click the gear icon in the KPI lane and select Lane Overlay Options.
  2. Enable overlays.
  3. For Overlay Type choose Anomaly.
  4. Select the KPI lane to enable Bulk Actions.
  5. In the Bulk Actions menu, select Show Anomaly Overlays.
    Anomalies detected in the current time range now appear in the KPI lane.
    Anomaly overlay new.png
  6. Click on the anomaly flag to view event details, or to add a new anomaly overlay lane to the deep dive view.
Last modified on 27 March, 2020
Compare search results from different time ranges in an ITSI deep dive
Create a multi-KPI alert from a deep dive in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters