Splunk IT Service Intelligence

Splunk IT Service Intelligence: In Health Entity, why does the alert_value under the "Entities in CPU Used %" pane show a different value?

Explorer

Splunk IT Service Intelligence (ITSI): I have a question about entities in the service detail pane.

So you have your services, and you either clicked on one from your Service Analyzer, or you clicked on "View Health" from the Configure Services menu. So now you have your service, their dependencies, and their KPIs in front of you. When you click on a KPI that has entities, the entities show up on the right side.

This is my question: I have CPU Used % showing up as the maximum of my entities. When I click on CPU Used %, the alert_value that shows is not the current value of that entities CPU Usage, it's more of a maximum that it has seen for the last however long. But when i click on the entity, it then shows the actual CPU Usage %.

Why does the alert_value under the "Entities in CPU Used %" pane show a different value?

Thanks.

0 Karma

Splunk Employee
Splunk Employee

Check the Service/Aggregate Calculation and Entity Calculation being used for the "CPU Used %" KPI in the service definition (Configure > Services > > CPU Used % > Search and Calculate > Calculation).

If the Service/Aggregate Calculation is set to Average this means the KPI reports on the average percentage of CPU used across ALL contributing entities. This service/aggregate value is the value displayed for the "CPU Used %" KPI. Each entity has its own alert value based on the type of calculation used for the Entity Calculation (e.g., Average, Maximum). These entity values are then aggregated to create the service/aggregate value (the value displayed for the KPI value).

So the KPI value and its entity values are usually not the same.

0 Karma

Explorer

I understand. This has nothing to do with the KPI/Aggregate value though. This is looking at each individual entity. Each individual entity doesn't show its current value, it shows some other value (seems to be the max value from some time period). It's annoying when I click on my aggregated KPI, and the entity values that are displayed don't correlate.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!