Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How data gets populated in ITSI ?

nilbak1
Communicator
‎05-01-2021 02:46 AM

Hi All,

I have ingested some sample logs in ITSI from windows, oracledb, aws, netapp devices, but the dashboards are not getting populated in ITSI.
Can can anyone who knows ITSI suggest or guide, how can the search ananlyzer, dashboards gets populated ?
I have enabled correlation searches as well, but it did not worked.

Labels (1)
Labels
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-03-2021 05:43 PM

in ITSI 

The search analyzer get populated by the summarized KPI data. (from index=itsi_summary in older versions, from metric index=itsi_summary_metrics since ITSI 4.7)

To get data in it this requires those steps :

- define some entities (optional, but nicer), if you have normalized data from official addons, you could look to enable the default entity detections (they can pick up linux metrics, windows entities, databases etc)
- create services (with filters to find entities if you are using entities), and some KPIs. If you are using normalized data, you can look at the "shared base searches" examples shipped to create your KPIs.
- the KPI are working like scheduled saved searches, they will start to summarize your metrics, and save the result into the indexes
- then the service analyzer will have data to measure the services healthscores, and will start populate.

for details  on the service insight : https://docs.splunk.com/Documentation/ITSI/4.9.2/SI/AboutSI

The other feature in ITSI is to use Alerting / Episodes
To get it setup

- create correlation searches, generating notable events (going to the index=itsi_tracked_alerts)
- OR if you have KPIs, use multiKPI alerting
- the Rules engine will detect them in realtime (you need realtime allowed), and group them in to episodes in to index=itsi_grouped_alerts
- the episodes will be displayed in the "incident review" dashboard

for details on "Event Analytics" https://docs.splunk.com/Documentation/ITSI/4.9.2/EA/AboutEA

for ITSI to work, please double check that :
- you have realtime allowed
- that JAVA is installed on the SH
- that the SA-IndexCreation app was properly deployed on the indexers 
 - that your ITSI SH is able to forward data to the indexers
- that HEC is enabled and working on the SH

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...