Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can I use Rest API command into ITSI?

htramtran83
Explorer
‎08-23-2019 12:54 PM

I want to find the concurrent search limit (max_rt_searches/max_hist_scheduled_searches...)

| rest "/services/server/status/limits/search-concurrency?cluster_wide_quota=1"

| stats max(max_hist_searches) as max_hist_searches, max(max_hist_scheduled_searches) as max_hist_scheduled_searches, max(max_rt_searches), as max_rt_searches, max(max_rt_scheduled_searches) as max_rt_scheduled_searches, max(max_auto_summary_searches) as max_auto_summary_searches

| fields max_hist_searches, max_hist_scheduled_searches,

max_rt_searches, max_rt_scheduled_searches,
max_auto_summary_searches,

I cannot create KPI inside ITSI. Anyone can help me explain?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-23-2019 05:23 PM

ITSI KPI searches need to preserve necessary fields to work,

As mentioned here: https://docs.splunk.com/Documentation/ITSI/latest/Configure/AddKPIs#Define_a_source_search_from_an_a...

The ad hoc search string that you create. This is the event gathering search for the KPI.
Note: The use of transforming commands, the mstats command, the gettime macro, or time modifiers in your KPI search is not recommended as this may cause issues with KPI backfill, the display of raw data on ITSI views such as glass tables and deep dives that allow you to run KPI searches against raw data, and the KPI threshold preview.

in your case, you need to preserve the field _time. (maybe others, depending of your filters/entities lookup mapping etc...)

try to add something like that to your stats command

| stats first(_time) AS _time
and to your fields
| fields _time ...

0 Karma
Reply

atsviatkou_splu
Splunk Employee
Splunk Employee
‎10-21-2019 08:42 PM

Do you want to track value of max_rt_searches/max_hist_scheduled_searches as a KPI?

In a ITSI service create/edit UI you can do KPI > New > Generic KPI
give a name, click next add Ad hoc Search such as

| rest "/services/server/status/limits/search-concurrency?cluster_wide_quota=1"
| stats max(max_hist_searches) as max_hist_searches, 
        max(max_hist_scheduled_searches) as max_hist_scheduled_searches,
        max(max_rt_searches), as max_rt_searches,
        max(max_rt_scheduled_searches) as max_rt_scheduled_searches,
        max(max_auto_summary_searches) as max_auto_summary_searches
| eval rt_search_multiplier=max_rt_searches/max_hist_scheduled_searches
| fields rt_search_multiplier

Use rt_search_multiplier as Threshold Field

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...