Splunk IT Service Intelligence

Splunk IT Service Intelligence: which of the following base searches is the best approach?

robettinger
Explorer

Hi,

I am currently creating a base search which will be used in ITSI to populate KPIs and Glass tables.

Which approach sounds better from a performance/functionality point of view?

To create entities and filter specific KPIs based on the entity

-or-

To transpose the results, "converting" each possible entity into a distinct column and separating them as a base search metric? The current result is about 500+ rows and the trend is to increase with time...

Thank you.

0 Karma

yannK
Splunk Employee
Splunk Employee

If you want to compare, try and let it run.
then use the scheduler.log to see the run_time of the itsi "indicator" search to see if which one is faster.

Using a Shared bases search can be an option to scale up, but as the entity filter is added after, it is sometimes expensive.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!