How to make monitored object part of ITSI episode

Schroeder · ‎11-02-2021

Hi!

Consider the following kpi base search monitoring the windows service state:

index=wineventlog sourcetype="WinEventLog:System" SourceName="Microsoft-Windows-Service Control Manager"
| rex field=Message "(The) (?<ServiceName>.+) (service entered the) (?<ServiceState>.+) "
| eval ServiceState=case(ServiceState=="running",2,ServiceState=="stopped",0,1==1,1)

If I do not want to explicitly name the windows service in the base search how do I include the service name, here ServiceName, beside the entity_title=host in the later created ITSI episode.
Why? From the created episode we run a recovery action to restart a windows service when stopped. For this we need to know the service name and the host it is running on.

What we need is the entity_title=host and the whatsoever=ServiceName as dedicated fields available in the correlation search from this generic kpi base search. Performing an ITOA rest call is no problem.

Note: If I split by ServiceName then the service name becomes the entity_title and then the host is missing.

Maybe one having an idea which does help us. We just want to avoid creating one KPI per Windows Service.

Cheers

Peter

How to make monitored object part of ITSI episode

configuration

using ITSI

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM