I am using old Hive DB log in ITSI, but while creating KPI I am getting an issue, I tried different functions like average/distinct etc during setting up KPI, but that is giving me some weird results.
For example, in my search query I am extracting all the failure counts due to connection timeout, but when I try to display that in ITSI,
that is not giving me expected answer. Please let me know how to handle that situation.
Please find the query below, want to use date as KPI, every day how many failure due to connection time out issue.
("FAIL" Connection timed out sourcetype="XXXXXX") date_minute="" earliest=-2mon@mon latest=now| top limit=20 date_hour
I am expecting individual counts in KPI.
Assume this search returns 20 events in 24 hours:
Check which field is unique in each event.Take that field as Threshold Field.In the calculation window count the field value gives you number of events.This gives you how many failures in 24 hours.Try to select time in ITSI KPI creation and not in Search itself. Let me know if you need any help.
NB:- If there is no time out in last 24 hours and you wish to show this KPI as normal then you need to select treat gap as Normal while creating KPI.
The reason why your KPI is not summarizing events is likely that your search is removing critical fields from the results.
Transformation commands are not allowed in a KPI.
The ad hoc search string that you create. This is the event gathering search for the KPI.
Note: The use of transforming commands, the mstats command, the
gettimemacro, or time modifiers in your KPI search is not recommended as this may cause issues with KPI backfill, the display of raw data on ITSI views such as glass tables and deep dives that allow you to run KPI searches against raw data, and the KPI threshold preview.
in your comment your search was :
("FAIL*" Connection timed out sourcetype="XXXXXX") date_minute="*" earliest=-2mon@mon latest=now| top limit=20 date_hour
The "top" command will remove all fields, except the "datehour"
ITSI KPI needs to have at least the field "time" preserved in your results to be able to do some calculations.
Also depending on the fields you are using for the KPI service aggregate, the entity calculation, and the entity filter, and the entity split by, you have to make sure that those fields are preserved.