Splunk IT Service Intelligence

ITSI KPI : Can I create query using join from two idexes

Joycetran
New Member

I need to create a KPI in service. This KPI is the percent between error and session. Error is count from index a, session is from index b, I need to join an create field as percent;
index=a | eval time_hour = strftime(_time, "%D-%H")|stats count as error| join time_hour [search index=b eventType="use" | eval time_hour = strftime(_time, "%D-%H") | stats count AS sessions ]|eval percent=error/session *100

It does not show the data in ITSI service. What should I change

Labels (2)
0 Karma

yannK
Splunk Employee
Splunk Employee

Does it work when you run it manually?

ITSI runs the KPI search as the role "splunk-system-user", check if that role has the permission to search the indexes A and B.

0 Karma

Joycetran
New Member

I have the admin access. If I run manually in search head, It works. When i bring to service to create KPI, It doesn't data. I dont know whether there is any rules or comment that cannot use in service KPI

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!