Splunk IT Service Intelligence

Splunk ITSI create KPI with text value or state value

deodion
Path Finder

I use Splunk TA-Connectivity,
I have a search that test internet connection by using below search, the event shows pinging the url is successful:

index=connectivity sourcetype=webping url="*google*" 
| stats values(url) latest(description) AS status latest(action) AS action by url 
| fields url status action

alt text

Is there any way to use this as Splunk ITSI KPI?
What is the best way to incorporate text based value into KPI?

May be I simply adjust the search like below?

index=connectivity sourcetype=webping url="*detik*" OR url="*google*"
| stats values(url) latest(description) AS status latest(action) AS action by url 
| fields url status action
| eval kpi_status = if(status == online, 100, 0)

So I simply use kpi_status field as the Threshold Field,

any other better ways? Thanks!!

0 Karma
1 Solution

sduff_splunk
Splunk Employee
Splunk Employee

As per your other question, try not to use stats in your KPI queries, you don't need it.

index=connectivity sourcetype=webping url="*detik*" OR url="*google*" | eval kpi_msg=if(status="online", 100, 0)

Will you split the KPI by the url field? Have you considered how you want to combine that to indicate the aggregate health of the service?

View solution in original post

sduff_splunk
Splunk Employee
Splunk Employee

As per your other question, try not to use stats in your KPI queries, you don't need it.

index=connectivity sourcetype=webping url="*detik*" OR url="*google*" | eval kpi_msg=if(status="online", 100, 0)

Will you split the KPI by the url field? Have you considered how you want to combine that to indicate the aggregate health of the service?

deodion
Path Finder

yes you are correct I found the answer after I post question anyway thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...