Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why itsi_summary index fields - service & service_name are not showing in the itsi logs

Nisha18789
Builder
‎08-27-2020 08:00 AM

we are using ITSI version 4.4.2

I per the ITSI documentation, we should be having service_name field in the events , however its missing for all our services. We were using ITSI 2.1 before and have moved to the newer version few months ago and all the existing services were backed up and restored to the newer version.

https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/IndexRef

Existing event log sample of our ITSI kpi data:

08/27/2020 10:42:55 +0100, search_name="Indicator - f6e4106b7a49f3b882d7fff4 - ITSI Search", search_now=1598521380.000, info_min_time=1598521315.000, info_max_time=1598521375.000, info_search_time=1598521402.096, qf="", kpi="Test Kpi", kpiid=f6e4106b7a49f3b882d7fff4, urgency=11, serviceid="6fb709cc-b8e9-4fce-8ffe-16f24a775500", itsi_service_id="6fb709cc-b8e9-4fce-8ffe-16f24a775500", is_service_aggregate=1, is_entity_in_maintenance=0, is_entity_defined=0, entity_key=service_aggregate, is_service_in_maintenance=0, is_filled_gap_event=0, alert_color="#99D18B", alert_level=2, alert_value=0, itsi_kpi_id=f6e4106b7a49f3b882d7fff4, is_service_max_severity_event=1, alert_severity=normal, alert_period=1, entity_title=service_aggregate

Below is the expected event log as per newer ITSI version.

05/14/2020 13:40:00 +0100, search_name=disabled_kpis_healthscore_generator, search_now=1589460060.000, info_min_time=1589460000.000, info_max_time=1589460060.000, info_search_time=1589460078.816, kpi="Test kpi", color="#CCCCCC", kpiid=76e0d65b920711618c59571e, enabled=0, urgency=5, kpi_name="Test kpi", gs_kpi_id=76e0d65b920711618c59571e, serviceid="8e827332-35f7-435d-bae3-134e81e943f9", gs_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_is_service_max_severity_event=0, indexed_is_service_aggregate=1, itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", is_service_aggregate=1, is_entity_defined=0, entity_key=service_aggregate, alert_color="#CCCCCC", alert_level="-3", alert_value="N/A", itsi_kpi_id=76e0d65b920711618c59571e, kpi_urgency=5, search_name="Indicator-Disabled_kpis- ITSI search", is_service_max_severity_event=0, alert_severity=disabled, alert_period=5, entity_title=service_aggregate, indexed_itsi_kpi_id=76e0d65b920711618c59571e, service_name="Test service"

I want to know what could be the possible reasons behind this, and what is the easiest and preferred way to fix this, like can this be fixed when we upgrade to a higher version of ITSI?

Thanks in advance!

0 Karma
Reply

eduncan
Splunk Employee
Splunk Employee
‎08-28-2020 06:25 AM
Spoiler
When you look in the episode that is created when a KPI is alerting, do you see service_name in the common fields?  When you upgraded, did you clean your KV store first?
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...