Splunk IT Service Intelligence
Highlighted

Splunk IT Service Intelligence: which of the following base searches is the best approach?

Explorer

Hi,

I am currently creating a base search which will be used in ITSI to populate KPIs and Glass tables.

Which approach sounds better from a performance/functionality point of view?

To create entities and filter specific KPIs based on the entity

-or-

To transpose the results, "converting" each possible entity into a distinct column and separating them as a base search metric? The current result is about 500+ rows and the trend is to increase with time...

Thank you.

0 Karma
Highlighted

Re: Splunk IT Service Intelligence: which of the following base searches is the best approach?

Splunk Employee
Splunk Employee

If you want to compare, try and let it run.
then use the scheduler.log to see the run_time of the itsi "indicator" search to see if which one is faster.

Using a Shared bases search can be an option to scale up, but as the entity filter is added after, it is sometimes expensive.

0 Karma