Splunk IT Service Intelligence

Entities not associated with my Service showing in Service Detail and impacting health score

sallyanntracy
Explorer

I've created two Services that use the same base KPI search. The difference is one Service is for the overall health of our RHEL infrastructure, the other is for the RHEL infrastructure of a single application.

I've defined the entities for the application. The application infrastructure is performing fine, but some other RHEL boxes are critical. The problem non-application boxes are dragging down the application health score and show up in the application service detail.

Where do I need to look to see why all the RHEL boxes are showing up in my entity-defined application Service?

0 Karma
1 Solution

sallyanntracy
Explorer

It turns out to have been fairly simple 2-part fix (that was not at all intuitive):

  1. In the base KPI search, leave the Entity Alias Filtering field blank.
  2. Define entities before adding KPIs.

In my ITSI Admin class, we always skipped over the entities portion of the Service setup and went straight to KPIs.

View solution in original post

0 Karma

sallyanntracy
Explorer

It turns out to have been fairly simple 2-part fix (that was not at all intuitive):

  1. In the base KPI search, leave the Entity Alias Filtering field blank.
  2. Define entities before adding KPIs.

In my ITSI Admin class, we always skipped over the entities portion of the Service setup and went straight to KPIs.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @sallyanntracy

Have you done this:
Configure >Service >Edit Service >Entities >Configured rules to match only the servers you need.

If you have done that, and you have entities with the wrong KPIs, the n you might need to split the service in two services and make one dependant on the other.

Hope this is helpful

0 Karma

sallyanntracy
Explorer

Hi Chris,

Yes, I had done that, but it turns out that it needs to be done first thing (which admittedly seems pretty obvious now, but wasn't what we did in class.)

Thank you for responding!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...