Splunk IT Service Intelligence

Splunk IT Service Intelligence: which of the following base searches is the best approach?



I am currently creating a base search which will be used in ITSI to populate KPIs and Glass tables.

Which approach sounds better from a performance/functionality point of view?

To create entities and filter specific KPIs based on the entity


To transpose the results, "converting" each possible entity into a distinct column and separating them as a base search metric? The current result is about 500+ rows and the trend is to increase with time...

Thank you.

0 Karma

Splunk Employee
Splunk Employee

If you want to compare, try and let it run.
then use the scheduler.log to see the run_time of the itsi "indicator" search to see if which one is faster.

Using a Shared bases search can be an option to scale up, but as the entity filter is added after, it is sometimes expensive.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!