Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Gaps in Backfill Data for an ITSI KPI

LH_Splunker
Explorer
‎07-11-2024 01:41 AM

Hello all,

I've run into a problem with the backfill upon creating (also tried cloning) a KPI in regards to Splunk License Metrics using the following search: 

 index=_internal source=*license_usage.log type="Usage" 
| fields idx, b 
| eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin span=5min _time 
| stats sum(b) as b by indexname, _time 
| eval GB=round(b/1024/1024/1024, 3) 
| fields _time, indexname, GB

The Use Case: 

I want a KPI for the License Usage with the separate Indexes as Entities. 

Configuration info:  

Seeing as I want the License Info on an per Index-Basis I konfigured the KPI to be split into Entities by the field "indexname".

As for the Frequency and Calculation I selected:  

Calculating Maximum of GB per entity as entity value, 
Sum of entity value as aggregate over the last 5 minute(s) every 5 minute(s). 
Fill gaps in data with Null values and use a unknown threshold level for them.

So far so good... now I also configured a Backfill for the last 30 days (taxing on the system but it should manage).

The Problem:

Upon seeing the Message that the backfill was completed, I checked the itsi_summary Index and found the backfill data of the KPI  but with regular gaps. More precisely, for each day it had backfilled the data from the activation time of the kpi (here 12:30) for about 6h (18:25/18:30) and then there were no further values for the day until the next day around 12:30. Even though there is license usage during the gap times and also available in the license_usage.log used by the KPI search. 

20240711_Splunk_community_KPI_Backfill_Troubleshooting.png

The Data since activation is continuous and has no gaps. 

I tried cloning the KPI, remaking the KPI with both adhoc or base search, but all featured the same curious results (just with different starting points as the activation time of the KPI was different).

Thus now I am wondering if there is some sort of limit for backfilling or if perhaps someone has an idea what caused this strange backfill behaviour? (Also there was no error message in the _internal index as far as I could tell.) 

Help and ideas would be appreciated. Thanks in advance. 

Labels (3)
Tags (5)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2024 03:06 AM

What happens if you backfill for one day at a time (rather than all 30 days together)?

0 Karma
Reply

LH_Splunker
Explorer
‎07-11-2024 04:54 AM

I also tried just with 7 days Backfill, but sadly got the same results. 

20240711_Splunk_community_KPI_Backfill_Troubleshooting_2.png

7 days is also the minimum Splunk ITSI offers as a backfill option. 

If you write  backfill for 1 day, do you mean to manually fill the itsi_summary index? As in not going via the GUI of Splunk ITSI? 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2024 05:10 AM

What rules have you got configured in $SPLUNK_HOME/etc/apps/SA-ITOA/default/itsi_rules_engine.properties?

0 Karma
Reply

LH_Splunker
Explorer
‎07-12-2024 04:02 AM

Hi ITWhisperer, 

they are still the same as the default.

Admittedly, I am a bit stumped about the the finer details of these properties. At most I could see the entry of 

# The number of entries per page when paginating Rules Engine searches.
internal_search_page_size = 10000

being perhaps the culprit as to why ITSI only indexed around ~10070 events per day. 

Or do you know which rule might limit the backfill-size?  

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...