Splunk IT Service Intelligence

How to enable Splunk IT Service Intelligence to use earliest=@d modifier to execute search at midnight?

anveshdodda
New Member

When you write earliest=@d, it executes search from midnight in Splunk Cloud. But in Splunk IT Service Intelligence (ITSI), it executes from the last 24 hours. My preference is for ITSI to perform as it does in Splunk Cloud. So is this an issue in Splunk?

0 Karma

rossl_splunk
Splunk Employee
Splunk Employee

Where are you defining that search? Is that in a KPI search? Also are you using a different version of ITSI than is installed on the cloud instance?

0 Karma

anveshdodda
New Member

Hi ..
Thanks for your reply

Yes it's in the kpi base search ...
I use the same one that is installed on the cloud instance ....
Also when i put kpi summary as off then I get the same count as I get in base core splunk but when I change the kpi summary to on that's where I get the kpi count different ...

0 Karma

rossl_splunk
Splunk Employee
Splunk Employee

Are you sure the data is the same? Also, "earliest" and "latest" in a KPI Base Search is not recommended. We recommend that you use the KPI Interval option in the UI if you can.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...