Add overlays to a deep dive in ITSI

Overlays in a deep dive can show you more detailed information about a KPI that is not always obvious from the aggregate KPI value. Entity overlays let you see how specific entities are performing relative to others and to the aggregate value. Anomaly overlays let you see statistical outliers in KPI search results.

Add entity overlays

Entity overlays show KPI search results for individual entities over the aggregate search results in a KPI lane. You can use entity overlays to compare how individual entities are performing relative to other contributing entities, and to the aggregate KPI value. For details on how to configure KPIs for entity overlay, see Use Split by Entity in the ITSI Installation and Configuration Manual.

1. Click the gear icon in the KPI lane and select Lane Overlay Options.
2. Click Yes to enable overlays.
3. Select an Overlay Selection Mode.

   Field	Description
   Static	Choose the specific entities to show as lane overlays.
   Dynamic	Lets ITSI automatically render the three worst performers as lane overlays.

4. Click Save. The entity overlays appear in the KPI lane.

Drilldown to OS host details

The ITSI Operating System (OS) module provides pre-configured KPIs that let you drilldown from entity overlays to the OS Host Details dashboard.

Make sure that you are using a KPI provided by the OS module in the service creation workflow. The OS module pre-populates services with specific entity rules and pre-builts KPIs.

1. Add an entity overlay as shown in the previous section.
2. Click on the entity overlay graph to display the drilldown menu.
   
3. Select OS Host Details to open the OS Host Details dashboard inside Splunk.

For more information, see About the Operating System module in the Splunk IT Service Intelligence Modules manual.

Add individual entity lanes

You can view all entities contributing to a KPI in individual entity lanes. Breaking out entities into individual lanes makes it easier to compare KPI values for each entity with the aggregate KPI value.

1. Click in the KPI lane and select Add Overlay as Lane.
   
   All entity overlays in the KPI lane appear in individual lanes.
2. Click the gear icon in one of the entity lanes and select Threshold Options.
3. Click Yes to enable threshold indication, then select the threshold type (level or state). The entity lane edit menu provides additional options for customizing the appearance of entity lanes.
4. Click Done.
   After you add individual entity lanes, you can use the Bulk Actions menu to hide entity overlays in the parent KPI lane, or disable entity overlays from the "Lane Overlay Options" in the parent KPI lane edit menu.

Add anomaly overlays

ITSI provides anomaly detection algorithms that detect statistical outliers in KPI search results. Anomaly overlays let you view these outliers and track anomalous trends in your KPI data.

For more information, see Detect anomalous KPI behavior in ITSI in the Administer IT Service Intelligence manual.

1. Click the gear icon in the KPI lane and select Lane Overlay Options.
2. Enable overlays.
3. For Overlay Type choose Anomaly.
4. Select the KPI lane to enable Bulk Actions.
5. In the Bulk Actions menu, select Show Anomaly Overlays.
   Anomalies detected in the current time range now appear in the KPI lane.
   
   
6. Click on the anomaly flag to view event details, or to add a new anomaly overlay lane to the deep dive view.