Splunk ITSI

Entities not associated with my Service showing in Service Detail and impacting health score

sallyanntracy
Explorer

I've created two Services that use the same base KPI search. The difference is one Service is for the overall health of our RHEL infrastructure, the other is for the RHEL infrastructure of a single application.

I've defined the entities for the application. The application infrastructure is performing fine, but some other RHEL boxes are critical. The problem non-application boxes are dragging down the application health score and show up in the application service detail.

Where do I need to look to see why all the RHEL boxes are showing up in my entity-defined application Service?

0 Karma
1 Solution

sallyanntracy
Explorer

It turns out to have been fairly simple 2-part fix (that was not at all intuitive):

  1. In the base KPI search, leave the Entity Alias Filtering field blank.
  2. Define entities before adding KPIs.

In my ITSI Admin class, we always skipped over the entities portion of the Service setup and went straight to KPIs.

View solution in original post

0 Karma

sallyanntracy
Explorer

It turns out to have been fairly simple 2-part fix (that was not at all intuitive):

  1. In the base KPI search, leave the Entity Alias Filtering field blank.
  2. Define entities before adding KPIs.

In my ITSI Admin class, we always skipped over the entities portion of the Service setup and went straight to KPIs.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @sallyanntracy

Have you done this:
Configure >Service >Edit Service >Entities >Configured rules to match only the servers you need.

If you have done that, and you have entities with the wrong KPIs, the n you might need to split the service in two services and make one dependant on the other.

Hope this is helpful

0 Karma

sallyanntracy
Explorer

Hi Chris,

Yes, I had done that, but it turns out that it needs to be done first thing (which admittedly seems pretty obvious now, but wasn't what we did in class.)

Thank you for responding!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...