Splunk IT Service Intelligence

Splunk ITSI create KPI with text value or state value

deodion
Path Finder

I use Splunk TA-Connectivity,
I have a search that test internet connection by using below search, the event shows pinging the url is successful:

index=connectivity sourcetype=webping url="*google*" 
| stats values(url) latest(description) AS status latest(action) AS action by url 
| fields url status action

alt text

Is there any way to use this as Splunk ITSI KPI?
What is the best way to incorporate text based value into KPI?

May be I simply adjust the search like below?

index=connectivity sourcetype=webping url="*detik*" OR url="*google*"
| stats values(url) latest(description) AS status latest(action) AS action by url 
| fields url status action
| eval kpi_status = if(status == online, 100, 0)

So I simply use kpi_status field as the Threshold Field,

any other better ways? Thanks!!

0 Karma
1 Solution

sduff_splunk
Splunk Employee
Splunk Employee

As per your other question, try not to use stats in your KPI queries, you don't need it.

index=connectivity sourcetype=webping url="*detik*" OR url="*google*" | eval kpi_msg=if(status="online", 100, 0)

Will you split the KPI by the url field? Have you considered how you want to combine that to indicate the aggregate health of the service?

View solution in original post

sduff_splunk
Splunk Employee
Splunk Employee

As per your other question, try not to use stats in your KPI queries, you don't need it.

index=connectivity sourcetype=webping url="*detik*" OR url="*google*" | eval kpi_msg=if(status="online", 100, 0)

Will you split the KPI by the url field? Have you considered how you want to combine that to indicate the aggregate health of the service?

deodion
Path Finder

yes you are correct I found the answer after I post question anyway thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...