Splunk® IT Service Intelligence

Service Insights Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence (ITSI) version 4.9.0 isn't available for download. See the Install and Upgrade Manual for steps to upgrade to the latest version.
Acrobat logo Download topic as PDF

Configure deep dive lanes in ITSI

Configure metric, KPI, or event lanes in IT Service Intelligence deep dives to display search results and monitor your services.

Configure metric lanes in a deep dive in ITSI

Metric lanes in IT Service Intelligence (ITSI) deep dives display search results for a user-defined data model or ad hoc search. When you add a new metric lane to the deep dive, you configure a new data model or ad hoc search.

Prerequisites

  • You must have the write_itsi_deep_dive capability to add a swim lane to a deep dive. By default, the itoa_admin, itoa_team_admin, and itoa_analyst roles are assigned this capability.
  • Read and write access to services and KPIs is controlled by team permissions. When adding a new swim lane, you can only select from services to which you have read access. You cannot perform bulk actions on lanes for which you do not have read access.

Steps

  1. In the deep dive, select Add Lane > Add Metric Lane.
  2. Configure your new metric lane.
    Field Description
    Title The title for your new metric lane.
    Subtitle (optional) Additional info about your search, service, and so on.
    Graph Type Line, Area, or Column.
    Graph Color The color for your metric lane graph.
    Lane Size Small, Medium, or Large.
    Search Type Ad hoc: Type your custom search string in the Search field.
    Data Model: Select a data model and an aggregation operation. Add a Where clause that maps the data model search field to entity alias values (optional). For example, dest=myserver.com.
  3. Click Create Lane. Your new metric lane appears in the deep dive.
  4. Select the Primary Time Range for your metric lane. The selected primary time range applies to all lanes in the deep dive.

Configure KPI lanes in a deep dive in ITSI

KPI lanes in IT Service Intelligence (ITSI) deep dives display search results for existing KPIs in your services. KPI lanes also provide the option of running searches against the KPI summary index, which can accelerate search times.

Prerequisites

  • You must have the write_itsi_deep_dive capability to add a swim lane to a deep dive. By default, the itoa_admin, itoa_team_admin, and itoa_analyst roles are assigned this capability.
  • Read and write access to services and KPIs is controlled by team permissions. When adding a new swim lane, you can only select from services to which you have read access. You cannot perform bulk actions on lanes for which you do not have read access.

Create a KPI lane

  1. In the deep dive, select Add Lane > Add KPI Lane.
  2. Configure your new KPI lane.
    Field Description
    Title The title for your new KPI lane.
    Subtitle (optional) Additional info about your search, service, and so on.
    Graph Type Line, Area, or Column. For count-based KPIs, choose Column to display discreet numeric values without interpolation.
    Graph Color The color for your KPI lane graph.
    Lane Size Adjust the lane height for easier viewing and analysis.
    Service The service containing the KPI you want to display.
    KPI The specific KPI you want to display.
    Accelerate Using KPI Summary By default, all KPI searches are run against the itsi_summary index, which increases search speeds. Select No if you want to switch from itsi_summary index search to raw search. This option is disabled for KPI searches with calculation windows of 24 hour or more.
  3. Click Create Lane. Your new KPI lane appears in the deep dive.

Configure threshold options for a KPI lane

You can display KPI status as either a graph against horizontal color bands that represent threshold severity levels, or as discreet vertical color blocks that represent the severity level over a given unit of time. Threshold view options apply to KPI lanes only.

The following example shows the difference between level and state indication:

DDthreshold.png

Steps

  1. Click the gear icon DDgear.png in the KPI lane and select Threshold Options.
  2. Set Enable Threshold Indication to Yes.
  3. Choose a threshold indication type:
    Field Description
    Level Indication Displays thresholds as horizontal bands.
    State Indication Displays thresholds in distinct time blocks.

    State indication shows the aggregate KPI status for KPIs that are split by entity.

  4. (Optional) If you chose state indication, enable Hide Graph to show severity-level thresholds in distinct time blocks without the line graph.
  5. Click Done.

After you configure your threshold options, you can use the Bulk Actions menu to show or hide thresholds for selected lanes.

Configure graph rendering options for a KPI lane

Graph rendering options determine how a KPI's results are displayed in a swimlane. While the rendering options are set to reasonable defaults, you can alter them depending on the type of data you're analyzing.

To access the graph rendering options for a KPI lane:

  1. Click the gear icon DDgear.png in the KPI lane and select Graph Rendering Options.
  2. Configure the following options:

Vertical Axis Scale

The vertical axis scale determines the scale of the y-axis of your KPI swimlane. On a linear scale the value between any two data points never change. A logarithm is based on exponents, so on a logarithmic scale the value between two points changes in a particular pattern.

Option Description
Linear The scale for deep dive swim lanes. Use linear scale if your data stays within a relatively reasonable boundary of values.
Logarithmic Useful for datasets with very high numbers and very low numbers. If you want to see the behavior of the low numbers without them being overshadowed by the high numbers, use a logarithmic scale.

Vertical Axis Boundary

The vertical axis scale determines the starting and ending boundaries of the Y-axis of a KPI lane. Because deep dives are meant to compare the behavior of many metric time series to each other, the default is Data Extent.

Option Description
Data Extent Data Extent means that the lowest value in your data will be the lowest value of the Y-axis and the highest value of your data will be the highest value of the Y-axis. For example, if the lowest value in your data set is 23 and the highest is 50, the Y-axis will span from 23 to 50.


Data Extent helps you more easily visually correlate behavioral trends in data. For example, if a KPI is measuring requests per second, and you have millions of requests per second, the trend line would remain visually flat if the axis boundary started at zero. By using Data Extent, the Y-axis is essentially "zoomed in" to focus on the interesting part of the graph - the extent of the data.

Zero Extent Zero Extent is the same as Data Extent except it includes a minimum value of zero. For example, even if your data ranges from 23 to 50, the Y-axis boundary will be from zero to 50. Similarly, if your data ranges from -50 to -27, the Y-axis will range from -50 to zero. Zero extent is useful for datasets that don't have a lot of large numbers or variability.
Static Configure your own Y-axis boundaries depending on your use case. For example, if your KPI value is a percentage, change the vertical axis boundary to a minimum value of 0 and a maximum value of 100.

Graph Data Gaps

This setting determines how the deep dive displays gaps in your data. It's important to note that a "gap" doesn't necessarily mean data was missed.

When set to Connected, the deep dive essentially interpolates the data between the actual KPI data points collected at regular intervals. For example, your KPI search might be configured to run every five minutes, but deep dives by default display data for every few seconds. ITSI essentially draws a line between those two data points to connect them and fill in the "missed" five minutes. The following image shows a lane with connected data gaps:

DDconnected.png

When set to Gaps, the deep dive removes this interpolation and instead fills data gaps with gray boxes. For count-based KPIs, you can use this setting to see the discreet data points corresponding to the counts coming in. The following image shows a lane displaying data gaps:

DDgap.png

Configure event lanes in a deep dive in ITSI

Event lanes in IT Service Intelligence (ITSI) deep dives display the number of occurrences of a specific event type over time. For example, an event lane might show the number of times an error appears in your data. Light bands represent times where there are no events, and dark bands represent times when there were one or more events. Event lanes also let you drill down to a Splunk search and view all events in a selected time bucket directly inside the deep dive.

The following deep dive shows an example of how event lanes can help you troubleshoot outages. As database service errors start coming in, the Database Service Response Time KPI begins to degrade, soon after which the entire service health score drops. Clicking an event band displays the actual associated events to give you more information about the outage:

DDeventlane.png

Prerequisites

  • You must have the write_itsi_deep_dive capability to add a swim lane to a deep dive. By default, the itoa_admin, itoa_team_admin, and itoa_analyst roles are assigned this capability.
  • Read and write access to services and KPIs is controlled by team permissions. When adding a new swim lane, you can only select from services to which you have read access. You cab;t perform bulk actions on lanes for which you don't have read access.

Steps

  1. In the deep dive, select Add Lane > Add Event Lane.
  2. Configure your new event lane.
    Field Description
    Title The title for your new event lane.
    Subtitle (optional) Additional info about your search and service.
    Graph Color The color for your event lane graph.
    Lane Size Adjust the size of the lane for easier viewing and analysis.
    Event Search The event search to display in the lane. For example, a search for Windows security events might be:

    index=itsidemo sourcetype=wineventlog:security

    Event searches can't contain reporting search commands, such as stats and timechart.

  3. Click Create Lane. Your new event lane appears.
Last modified on 18 June, 2021
PREVIOUS
Overview of deep dives in ITSI
  NEXT
Configure the KPI aggregation metric in a deep dive in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters