Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.7.0 reached its End of Life on October 28, 2022.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Monitor your services with the ITSI Service Analyzer

The Service Analyzer in IT Service Intelligence (ITSI) shows a unified view of all the services and KPIs in your IT environment. To access the Service Analyzer tile view, click the tile icon Tile icon.png on the Service Analyzer. Whichever view you save last loads the next time you open the Service Analyzer.

The Service Analyzer lists the top 50 most critical services and KPIs you're monitoring. Change the number of services or KPIs to display by clicking the gear icon ITSI gear.png. The number and color of each tile indicates the current severity level of the service or KPI, while the sparkline shows the trend of the value for the selected time range. The following image shows an example Service Analyzer:


A notification icon ( Exclamation.png ) on a tile indicates one or both of the following conditions exists within the selected time range:

  • The service or KPI has one or more entities in a degraded state.
  • The service has one or more critical or high episodes associated with it.

Hover over the icon to find out which conditions exist. Select the tile to open the side panel with more information.

You can only view services and KPIs that you have read access to. Read and write access to services and KPIs is controlled by teams. For information about teams, see Overview of teams in ITSI in the Administration Manual.

The minimum time range that can be selected in the time picker is 45 minutes. This is the minimum length of time needed to ensure all KPI data is available.

Filter services and KPIs

You can't filter services or KPIs unless you have read access to those services and KPIs.

Filter the services and KPIs using the Filter Services, Filter KPIs, and Filter by Tags. boxes. When you filter by service, only the KPIs that belong to the filtered services are displayed. When you filter by KPI, only the services associated with the KPI are displayed. When you filter by tags, only services containing those tags are shown, as well as their KPIs.

All filters added within a single filter box have an implied OR clause. For example, service_A OR service_B. However, across the filter boxes there's an implied AND clause. For example, service_A AND kpi_B AND tag_C.

The filters support wildcards. For example, if you want to display only your three database services called DB1, DB2, and DB3, you could simply filter by DB*.

You can also filter the KPIs for already filtered services. For example, to see only the Database Service Response Time KPI for the three database services, filter your KPIs by *response*.

Show disabled services

By default, disabled services and KPIs associated with disabled services are not shown on the Service Analyzer. Select Show disabled service(s) to display disabled services and their corresponding KPIs. The tiles for disabled services and KPIs are grey and display N/A instead of a number.

Show service dependencies

By default, when you filter by a service, the Service Analyzer only displays that service and its individual KPIs. Select Show service dependencies to also display the services that impact the filtered service and all KPIs within those services.

Automatically refresh the Service Analyzer

You can configure the Service Analyzer to automatically refresh. By default, auto-refresh is disabled. Enable it in itsi_service_analyzer.conf.

Auto-refresh automatically refreshes all of the searches displayed on the Service Analyzer. So if you have the KPI side panel open, those searches are also executed. Auto-refresh doesn't execute service health score or KPI calculations. It only refreshes the searches on the Service Analyzer by fetching the latest calculated health score from the itsi_summary index.

Real-time searches such as Real-time and All time are not available in the time range picker.


  • Only users with file system access, such as system administrators, can enable automatic refresh using a configuration file.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.


  1. Open or create a local itsi_service_analyzer.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local.
  2. Add the following stanza:
    disabled = 0
    interval = 180
  3. Restart your Splunk software.

The interval setting is in seconds and defines the time interval to automatically refresh the Service Analyzer. This configuration file setting applies to the default Service Analyzer and all saved service analyzer views.

Monitor services

The number displayed in a service tile indicates the service health score. Service health scores range from 0 to 100, with 0 being most critical and 100 being most healthy.

Service Health Score Severity level Color
0-20 Critical Criticle.png
20-40 High High.png
40-60 Medium Medium.png
60-80 Low Yellow.png
80-100 Normal Green.png

The service health score calculation is based on the current severity level of service KPIs (critical, high, medium, low, and normal) and the user-defined KPI importance value. For information about how the service health score is calculated, see How service health scores work in ITSI in the Service Insights manual.

If a service is in maintenance mode, the tile is dark grey and contains a maintenance icon Maint icon.png.

Monitor KPIs

The number displayed in a KPI tile is the aggregate severity-level returned from the KPI search of the data. For example, you could have a KPI called Successful Logins that is a count of logins to your website. When a KPI is created in ITSI, aggregate severity-level thresholds of Normal, Low, Medium, High, and Critical are defined. If a KPI is split by entity, entity severity-level thresholds are also defined. The color corresponding to the aggregate severity-level is displayed in the KPI tile in the Service Analyzer by default. For more information about configuring KPI severity levels, see Configure KPI thresholds in ITSI in the Service Insights manual.

The name of the service that the KPI is associated with is displayed on the line beneath the name of the KPI for reference.

Grey KPI tiles indicate one of the following conditions:

  • The KPI search has returned no data matching the search criteria. The sparkline is flat in this case.
  • The KPI is associated with a disabled service (when the Show disabled service(s) check box is checked).
  • The KPI is associated with a service in maintenance mode (displayed in dark grey with a maintenance icon Maint icon.png)

Drill down to a deep dive

You can drill down from the Service Analyzer tile view to a deep dive where you can view and compare service health scores or KPI search results over time.

  1. Select the check box on one or more service or KPI tiles.
  2. Click Drilldown to Deep Dive.

If you select a single service or a single KPI, all KPIs associated with that service appear in the deep dive. If you select multiple services or KPIs, only the associated service health scores appear.

For more information about deep dives, see Overview of deep dives in ITSI in this manual.

Why does a tile say "Waiting for data"?

You can change the number of tiles shown in the Service Analyzer. If you set the number of tiles too high (50 or greater), the two indexed real-time searches that generate the tiles might hang and show a "Waiting for data" message. This occurs only on the specific search head. This issue mostly occurs as a result of KV store performance issues in a search head cluster environment.


  • Avoid increasing the number of tiles in a search head cluster environment.
  • Use filters to display only the specific services and KPIs that require monitoring.
  • Set the number of visible tiles to the lowest number possible.
Last modified on 19 January, 2021
Overview of the Service Analyzer in ITSI
Use the Service Analyzer tree view in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters