Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to backfill a ServiceHealthScore in ITSI?

skoelpin
SplunkTrust
SplunkTrust
‎07-10-2018 07:55 AM

I had to create a new service and backfilled the KPI's but the ServiceHealthScore does not backfill. How can I get this backfilled?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎07-24-2018 09:16 AM

I ended up writing the SPL to calculate the ServiceHealthScore and backfilling it in the itsi_summary index. I confirmed it with the internal ITSI team and was told not to make the math behind it public

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎07-24-2018 09:16 AM

I ended up writing the SPL to calculate the ServiceHealthScore and backfilling it in the itsi_summary index. I confirmed it with the internal ITSI team and was told not to make the math behind it public

0 Karma
Reply
Solved! Jump to solution

PowerPacked
Builder
‎07-24-2018 11:02 AM

Hi @skoelpin

Good to hear, you got the solution.

Can you share how you were able to backfill a ServiceHealthScore KPI, as there is no option of backfill for this KPI in configure service page & Anywhere.

Not asking about maths & calculation.

Thanks

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-24-2018 11:15 AM

Yes. At a very high level, it will look like this. You must first backfill each KPI, in my case I did it into the regular summary index and joined it to the itsi_summary to keep it clean. This has 5 KPI's and 2 use adaptive thresholding and the other 3 use static thresholding. You can then use these values to display ServiceHealthScores in deep dives and glasstable views. 

index=summary  KPI1 OR KPI2 OR KPI3 OR KPI4 OR KPI5
| timechart span=1m max(KPI1)  max(KPI2) max(KPI3) max(KPI4) max(KPI5)
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| eval Sunday=if(like(DayOfWeek,"Sunday"),1,0)
| eval HourOfDay_2hourbar=if(HourOfDay%2==0,HourOfDay/2,null())
| filldown HourOfDay_2hourbar
| lookup xxxx_pdf.csv Sunday as Sunday HourOfDay_2hourbar as HourOfDay_2hourbar
| foreach max*
    [ eval "Z_<<FIELD>>" = ('<<FIELD>>' - 'avg(<<FIELD>>)' ) / 'stdev(<<FIELD>>)']
| rename "max(KPI1)" as KPI1
| eval KPI2 = case(KPI1==0,"Normal",KPI1<2,"Low",KPI1<4,"Medium",KPI1<6,"High",KPI1>=6,"Critical")
| rename "max(KPI2)" as KPI2
| eval KPI2_Level = case(KPI2==0,"Normal",KPI2<2,"Low",KPI2<4,"Medium",KPI2<6,"High",KPI2>=6,"Critical")
| rename "max(KPI3)" as KPI3
| eval KPI3_Level = case(KPI3==0,"Normal",KPI3>=1,"Critical")
| rename "max(KPI4)" as KPI4
| rename "max(KPI4)" as KPI4
| rename "*(*)" AS *_*
| eval KPI5 = case(Z_max_KPI4>=0,"Normal",Z_max_KPI4>=-2,"Low",Z_max_KPI4>=-3,"High",Z_max_KPI4<-3,"Critical")
| eval KPI5_Level  = case(Z_max_KPI5_Level<=0,"Normal",Z_max_KPI5<1,"Low",Z_max_KPI5<2,"Medium",Z_max_KPI5<3,"High",Z_max_KPI5>=3,"Critical")
| fields + *Level

<REDACTED>

| bin _time span=1m
| stats avg(Redacted1) AS xxxx avg(redacted2) AS xxxx avg(Redacted3) AS xxxx avg(Redacted4) AS xxxx avg(Redacted5) AS xxx  by _time
| eval ServiceHealthScore=(xxx+xxxx+xxx+xxx+xxx)/5
| timechart span=1m max(ServiceHealthScore) AS ServiceHealthScore
0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎07-12-2018 08:50 AM

Currently ITSI (as of 3.1.X )
Only the KPI can be backfilled. (specifically non metrics KPI as of ITSI 3.1.X)
ITSI does not offer a way to backfill the service scores, because of the way the scores are being calculated.

There is a discussion to make it a feature in the future.

0 Karma
Reply
Solved! Jump to solution

PowerPacked
Builder
‎07-10-2018 09:18 AM

Hi @skoelpin

Servicehealthscore is a KPI which is calculated based on the severity level and importance of all remaining KPI's existing in the same sercvice at that time.

Servicehealthscore is a score from 0 (critical) to 100(normal) --- calculation formulae = [weighted alert levels] / Σ [importance weights]

example:
KPINAME - ALERTSEVERITY - IMPORTNANCE
kpi1 - low - 10
kpi2 - high - 5

servicehealthscore = (70*10) + (30*5) / 10 + 5

Alert Severity and its scores are:
Normal - 100, Low- 70, Medium - 50, High - 30, Critical - 0.

so to say, when you did a backfill of all the kpis, they dont have a Threshold & Importnace set & servicehealthscore can't be calculated at that time.

Thanks

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-10-2018 09:21 AM

Yes, I know.. This is why I asked the question with a bounty. I want to know how to backfill the health score now that all the KPIs are backfilled

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...