Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why itsi_summary index fields - service & service_name are not showing in the itsi logs

Nisha18789
Builder
‎08-27-2020 08:00 AM

we are using ITSI version 4.4.2

I per the ITSI documentation, we should be having service_name field in the events , however its missing for all our services. We were using ITSI 2.1 before and have moved to the newer version few months ago and all the existing services were backed up and restored to the newer version.

https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/IndexRef

Existing event log sample of our ITSI kpi data:

08/27/2020 10:42:55 +0100, search_name="Indicator - f6e4106b7a49f3b882d7fff4 - ITSI Search", search_now=1598521380.000, info_min_time=1598521315.000, info_max_time=1598521375.000, info_search_time=1598521402.096, qf="", kpi="Test Kpi", kpiid=f6e4106b7a49f3b882d7fff4, urgency=11, serviceid="6fb709cc-b8e9-4fce-8ffe-16f24a775500", itsi_service_id="6fb709cc-b8e9-4fce-8ffe-16f24a775500", is_service_aggregate=1, is_entity_in_maintenance=0, is_entity_defined=0, entity_key=service_aggregate, is_service_in_maintenance=0, is_filled_gap_event=0, alert_color="#99D18B", alert_level=2, alert_value=0, itsi_kpi_id=f6e4106b7a49f3b882d7fff4, is_service_max_severity_event=1, alert_severity=normal, alert_period=1, entity_title=service_aggregate

Below is the expected event log as per newer ITSI version.

05/14/2020 13:40:00 +0100, search_name=disabled_kpis_healthscore_generator, search_now=1589460060.000, info_min_time=1589460000.000, info_max_time=1589460060.000, info_search_time=1589460078.816, kpi="Test kpi", color="#CCCCCC", kpiid=76e0d65b920711618c59571e, enabled=0, urgency=5, kpi_name="Test kpi", gs_kpi_id=76e0d65b920711618c59571e, serviceid="8e827332-35f7-435d-bae3-134e81e943f9", gs_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_is_service_max_severity_event=0, indexed_is_service_aggregate=1, itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", is_service_aggregate=1, is_entity_defined=0, entity_key=service_aggregate, alert_color="#CCCCCC", alert_level="-3", alert_value="N/A", itsi_kpi_id=76e0d65b920711618c59571e, kpi_urgency=5, search_name="Indicator-Disabled_kpis- ITSI search", is_service_max_severity_event=0, alert_severity=disabled, alert_period=5, entity_title=service_aggregate, indexed_itsi_kpi_id=76e0d65b920711618c59571e, service_name="Test service"

I want to know what could be the possible reasons behind this, and what is the easiest and preferred way to fix this, like can this be fixed when we upgrade to a higher version of ITSI?

Thanks in advance!

0 Karma
Reply

eduncan
Splunk Employee
Splunk Employee
‎08-28-2020 06:25 AM
Spoiler
When you look in the episode that is created when a KPI is alerting, do you see service_name in the common fields?  When you upgraded, did you clean your KV store first?
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...