Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk ITSI
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Premium Solutions
- :
- Splunk ITSI
- :
- How to get changed kpi/service status? (ITSI)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get changed kpi/service status? (ITSI)
sboogaar
Path Finder
11-26-2018
07:27 AM
To see which alerts are new Im trying to generate the following table:
KPI | Service | alert_level | alert_level_previous | entity_title
Where alert_level_previous is the last alert_level for each (KPI, service, entity_title) combination
So if in the past a KPI was normal and now it is critical the alert_level should be critical and the alert_level_previous should be normal
I noticed there are duplicate entries (ALL fields are the same even the timestamp) in itsi_summary
My current non working query:
index=itsi_summary
| search alert_level >= 4 AND NOT is_entity_in_maintenance=1 AND NOT is_service_in_maintenance=1
| streamstats window=2 latest(alert_level) as alert_level_previous by kpi, host, itsi_service_id, entity_title
| streamstats window=2 latest(alert_value) as alert_value_previous by kpi, host, itsi_service_id, entity_title
| join type=inner itsi_service_id
[| search (index=itsi_summary source=service_mapping earliest=-2h latest=now)
| dedup itsi_service_id
| table itsi_service_id itsi_service ]
| eval alert_new = if(alert_level != alert_level_previous, "yes", "no")
| table kpi, itsi_service, alert_level, alert_level_previous, host,alert_new, alert_value, alert_value_previous _time, entity_title
If anyone can help me in the right direction it would be very nice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sboogaar
Path Finder
11-29-2018
06:59 AM
I ended up with the following query:
index=itsi_summary
| fields kpi, alert_level, alert_value, entity_title, _time, host, message, alert_severity, itsi_service_id, itsi_kpi_id
| dedup _time, itsi_service_id, itsi_kpi_id, entity_title
| reverse
| streamstats window=1 current=false global=false
latest(alert_level) as alert_level_previous,
latest(alert_value) as alert_value_previous,
latest(_time) as called_last_time
latest(alert_severity) as alert_severity_previous
by kpi, itsi_service_id, entity_title
| reverse
| join type=inner itsi_service_id
[| search (index=itsi_summary source=service_mapping )
| fields itsi_service_id, itsi_service
| dedup itsi_service_id
| table itsi_service_id itsi_service ]
| where _time > time() -120 AND alert_level > 4
| eval calculated_last_time = strftime(called_last_time, "%d %H:%M:%S")
| eval alert_new = if(alert_level!=alert_level_previous AND alert_level > 4, "1", "0")
| eval up = alert_level - alert_level_previous
| stats count by alert_severity, alert_severity_previous, itsi_service, kpi, entity_title, alert_new, alert_value, alert_value_previous, _time,calculated_last_time, host, alert_level, up
| dedup kpi, itsi_service, entity_title
| table alert_severity, alert_severity_previous, itsi_service, kpi, entity_title, alert_new, alert_value, alert_value_previous, _time,calculated_last_time, host, alert_level, up
| sort -alert_new, - alert_level
| eval alert_email = replace(alert_email, ",", ", ")
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
