Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.5.x will no longer be supported as of April 29, 2022. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure the KPI calculation metric in a deep dive in ITSI

The KPI calculation metric in an ITSI deep dive is the statistical operation performed on multiple KPI data points to appropriately downsize your data and plot it in a swimlane. This downsizing process is necessary because if the time range of your deep dive is large, ITSI can't render all the data points. Therefore, it uses the timechart command as an aggregator. It performs a process called "downsampling" to reduce the size of your data so it can be plotted in the deep dive.

For example, you have a 15-minute KPI over a 24-hour period, giving you 96 total data points. But if the deep dive is only capable of rendering 50 data points, is must reduce the size of that data from 96 to 50. ITSI distributes the 96 data points into 50 distinct buckets, then it uses the selected KPI Calculation Metric (average, median, maximum, or minimum) to perform a statistical operation on each bucket. It uses the output of that statistical operation as the single data point to plot in the deep dive for each time bucket.


The KPI calculation metric affects the aggregated KPI values across time as well as individual entity values if the KPI is split by entity. By default, ITSI takes an average of the KPI and entity data. You can switch the KPI calculation metric between average, median, maximum, and minimum. Note that the calculation metric you choose is not in any way extracted from the way the KPI is configured.

Changing the KPI calculation metric can help you better visualize search results aggregated over the selected time range. It can also help you troubleshoot issues if the current metric display isn't useful. Switching the calculation metric has no impact on the underlying KPI configuration.

Here's an example of how ITSI uses the KPI calculation to plot a KPI data points.

KPI Calculation Metric = Average

`get_itsi_summary_index` `service_level_kpi_only` `get_only_itsi_summary_kpi(66ec11b1f86a3a40f20253b9)`  | timechart limit=0 useother=0 avg(alert_value) by kpiid

KPI Calculation Metric = Max

`get_itsi_summary_index` `service_level_kpi_only` `get_only_itsi_summary_kpi(66ec11b1f86a3a40f20253b9)`  | timechart limit=0 useother=0 max(alert_value) by kpiid

Notice the only thing that changes is the operation taken on the alert_value - average or max. Each alert_value for a KPI is the actual aggregated numeric value of the KPI for this data point.

Last modified on 08 May, 2020
Configure event lanes in a deep dive in ITSI
Compare search results from different time ranges in an ITSI deep dive

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters