Splunk® IT Service Intelligence

Service Insights Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Split and filter a KPI by entities in ITSI

Split a KPI by entities in IT Service Intelligence (ITSI) to monitor each individual entity against which the KPI search runs. You can also filter a KPI by service entities to reduce collection of extraneous data by only running the KPI search against a specific service's entities. Splitting and filtering gives you more granular control of your KPI at the entity level.

Entity rule best practices

Entity rules within a service ensure that you dynamically filter to the entities that matter in your environment. Use entity rules that are prescriptive enough that you catch the entities you care about for that service. If you're matching service-level entity rules to tens and thousands of entities, it can be difficult to monitor the entities you're interested in, which can slow internal operations.

ITSI doesn't limit the number of matching entities for a service. Be mindful of the performance implication when you have a lot of entities matched for a single service.

Split a KPI by entity

The Split by Entity option lets you maintain a breakdown of KPI values at the entity level. Split KPI results by a specific entity to monitor each individual entity against which a KPI is running.

You must split KPIs by entity to use the following ITSI features:

Configure the following fields:

Field Description
Split by Entity Enable a breakdown of KPI values at the entity level. The KPI must be running against two or more entities.
Entity Split Field The field in your data to use to look up the corresponding split by entities. The default lookup field for data model searches and ad hoc searches is host. For metrics searches, select a dimension associated with the metric. This field is case sensitive.

When filtering a KPI down to entities, you can split by a field other than the field you're using for filtering the entities (specified in the Entity Filter Field). This lets you filter to the hosts that affect your service, but split out your data by a different field. For example, you might want to filter down to all of your database hosts but split the metric by the processes running on the hosts.

Filter a KPI by service entities

Entity filtering lets you specify the service entities against which a KPI search runs. Provide an entity filter field to reduce collection of extraneous data. For example, if you enable entity filtering for a KPI in the Online Sales service, only entities assigned to the Online Sales service are used to calculate the KPI search metrics.

Note: Entities are assigned to service through entity rules. For more information, see Define entity rules for a service in ITSI.

Field Description
Filter to Entities in Service Enable or disable entity filtering. To filter to entities in a service, the service must have associated entities. If the service does not have associated entities, an error message appears.
Entity Filter Field The entity alias field name already defined within each entity that will be used to create a fieldname=value filter. The filter is applied as a suffix sub-search to the main KPI search. You can only filter to alias fields defined in entities, not the entity title. For metrics searches, select a dimension for the metric. The default field for data model searches, ad hoc searches, and metrics searches is host. This field can be different than the field used for the Entity Split Field.

Next steps

After you configure entity split and filter fields, move on to step 3: Configure KPI monitoring calculations in ITSI.

Last modified on 20 July, 2021
PREVIOUS
Define a KPI source search in ITSI
  NEXT
Configure KPI monitoring calculations in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters