Splunk IT Service Intelligence

Splunk IT Service Intelligence: which of the following base searches is the best approach?

robettinger
Explorer

Hi,

I am currently creating a base search which will be used in ITSI to populate KPIs and Glass tables.

Which approach sounds better from a performance/functionality point of view?

To create entities and filter specific KPIs based on the entity

-or-

To transpose the results, "converting" each possible entity into a distinct column and separating them as a base search metric? The current result is about 500+ rows and the trend is to increase with time...

Thank you.

0 Karma

yannK
Splunk Employee
Splunk Employee

If you want to compare, try and let it run.
then use the scheduler.log to see the run_time of the itsi "indicator" search to see if which one is faster.

Using a Shared bases search can be an option to scale up, but as the entity filter is added after, it is sometimes expensive.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.