Splunk IT Service Intelligence

Splunk IT Service Intelligence: Why am I not getting any data in the threshold section using the stats command in this search?

New Member

I'm using Splunk IT Service Intelligence and this search:

(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT,  max(Value) as PACE | eval Delta=(PACE - RUNCOUNT) 

Using the Splunk search app, I see values for the three, but using ITSI, and what I believe to be the proper threshold field Delta, I am receiving no data in the threshold section. Am I doing something incorrectly?

0 Karma

Path Finder

For future me, I thought i'd post the actual answer - after some amazing help, its actually very simple.....

to make a KPI to track errors....

make your search to filter results

index=main error* fail*

then in the "Threshold Field" to use

_time

and then set the "Service/Aggregate Calculation" to be "Count"

also remember to click the "Apply Adaptive Thresholding" button to apply the template chosen and job done!

Splunk Employee
Splunk Employee

It is not technically supported to have a transforming/reporting search command such as stats in the KPI's base search. However it will still work if you append the "gettime" macro to your search.

The charts do not work because they are expecting a time field. Once you put in the gettime you will get one data point in the chart. Everything in the UI for the rest of the app will still work as long as you do not convert to "raw" and stick with the ITSI summary for powering visualizations. You can confirm that it will work by clicking on the "generated search" in the modal for KPI definition. That will open the search ITSI will be using in the search, if the results from that look good, then you are good to go!

For reference this is the modification I would recommend to your search:

(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT,  max(Value) as PACE | eval Delta=(PACE - RUNCOUNT) | `gettime`

Legend

Try converting them to number convert num(PACE) as PACE | convert num(RUNCOUNT) as RUNCOUNT | eval Delta=(PACE - RUNCOUNT)

0 Karma

Communicator

Can you try using the delta command? | delta RUN_COUNT as PACE

0 Karma

Contributor

Did you ever figure out an answer for this issue? I ran into the same and above comments did not help.

0 Karma