Splunk IT Service Intelligence

How to setup the correlation search to make KPI's status change the notable events in IT Service Intelligence?

New Member

Hello everyone

Now I'm trying to configure the alert of Multi-KPI and Single-KPI. But I don't have any idea about how to configure the correlation search to create the notable events for the status change of the single KPI (e.g. one KPI like CPU utilization or Memory usage in 1 service).

Could anyone teach me how to setup the correlation search for Single KPI in ITSI?

Thank you

Labels (2)
0 Karma

Splunk Employee
Splunk Employee


Check out https://docs.splunk.com/Documentation/CPITSIMonitorAlert/2.2.0/CP/About for how to get started with correlation searches. This will give you the tools you need. For example "Service Monitoring - Sustained KPI Degradation (Recommended)" can be a good start. 

To filter to specific to a specific service and or KPI use something like 

| mstats latest(*) as * where index=itsi_summary_metrics 
    [| `service_kpi_list` 
    | search service_name="*" kpi_name=* 
    | fields kpiid 
    | rename kpiid as itsi_kpi_id
    | format ] by host span=1m

## OR from event index 
index=itsi_summary [|`service_kpi_list` | search service_name="*" kpi_name=* | fields kpiid | format ]
| lookup service_kpi_lookup _key as itsi_service_id OUTPUT title as service_name
| table _time kpi, alert_*, entity_* service*,indexed_is_service_aggregate





0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...