Getting Data In

Add KPI_Base_Search to ITSI through API Post

Path Finder

Hello,

I was wondering if it is possible to add a KPI_Base_Search to a service's kpis? I know I can do it through the GUI, but I have about 500+ metrics that I need to add to my service. When I try to add a KPI to my service, it yells at me for not including a base_search. I don't want to add a kpi as an ad hoc search, but rather as a base search. Does anyone know what that sort of update would look like? Also, how do I get my kpi_base_search's base_search_metric?

Best,
Alli

0 Karma
1 Solution

Path Finder

I found the answer. You need to include the information I have in the dictionary below. The most necessary part of those parameters is the "search_type". If this is not specified, it will default to an ad hoc search instead of using a kpi_base_search.

    payload['kpis'] = [{"base_search_id":baseSearchKey, "base_search_metric":metricKey, "title":kpiName,
                        "search_alert_earliest": 1, "alert_period":1, "is_entity_breakdown":True,
                        "entity_id_fields":"unlocode", "entity_alias_filtering_fields":"unlocode,san-id",
                        "is_service_entity_filter":True, "alert_lag":2, "unit":"", "entity_statop":"latest",
                        "aggregate_statop":"latest", "_key":baseSearchKey,
                        "base_search":baseSearch, "urgency":5,
                        "threshold_field":metric,"search_type":"shared_base"}]

Hope this can help someone else 🙂

View solution in original post

0 Karma

Path Finder

I found the answer. You need to include the information I have in the dictionary below. The most necessary part of those parameters is the "search_type". If this is not specified, it will default to an ad hoc search instead of using a kpi_base_search.

    payload['kpis'] = [{"base_search_id":baseSearchKey, "base_search_metric":metricKey, "title":kpiName,
                        "search_alert_earliest": 1, "alert_period":1, "is_entity_breakdown":True,
                        "entity_id_fields":"unlocode", "entity_alias_filtering_fields":"unlocode,san-id",
                        "is_service_entity_filter":True, "alert_lag":2, "unit":"", "entity_statop":"latest",
                        "aggregate_statop":"latest", "_key":baseSearchKey,
                        "base_search":baseSearch, "urgency":5,
                        "threshold_field":metric,"search_type":"shared_base"}]

Hope this can help someone else 🙂

View solution in original post

0 Karma

Path Finder

just curious if you could also tell what endpoint you used? eg. /itoa_interface/service/....

0 Karma

Path Finder

When you have multiple services using the base-search, how do you get it to generated unique "keys" for each of the KPIS?

0 Karma

Path Finder

If I remember correctly, Splunk will auto generate these keys for you. I created my own unique value for _key: hashlib.sha224(baseSearchKey+metric_name).hexdigest(). Basically just a hash of the metric name concatenated with the Splunk generated key from my base search, the latter of which can be found by using Splunk's ITSI api.
When you go to look at the service you just created, you will notice that the service's summary will say that it has no KPI's. If you click on the service, you will see that the service has all the kpi's you just added. Then when you alter and save the service, Splunk will replace all of you hash generated keys with their own unique keys. The summary of the service will now reflect the actual amount of kpi's it has.
This was the only way I was able to hack this together. If you find a better way, please share 🙂

Path Finder

This works great.
BTW, if you also set the service to 'enabled': 0, effectively disabling the service, when you add the base search, all you then have to do is go into the UI and quickly Enable it instead of opening it and changing something.

The KPI is then recognized.

Path Finder

Ooo good to know, I'll have to change my implementation a little bit. Thanks for sharing!

0 Karma

Path Finder

Thanks! Figured it was going to take some hacky way to make it work.

What would be really nice is for the API to expose whatever happens when you Clone a KPI, then all items would be populated correctly.

0 Karma

Path Finder

I used /itoa_interface/service -H "Content-Type: application/json" -X POST -d
I was creating services from scratch, but I suppose you could also update a preexisting service with a JSON payload of your kpis.

0 Karma

SplunkTrust
SplunkTrust

You need to configure the base search first then reference the base search in each KPI.

You can do that by going to Configure>Base Search

0 Karma

Path Finder

I did, I have kpi_base_search objects all set up. Now I want to link them to a service through the api. How would I go about doing that? I was assuming it would something like
curl -k -u admin:password https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service//?is_partial_data=1 -X POST -H "Content-Type:application/json" -d '{??????}'

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!