Splunk ITSI

How to get search into KPIs?

jacknguyen
Path Finder

I have a search: (index=.... sourcetype=....| stats count(transaction) as "Transaction")

Screenshot 2022-12-28 150639.png

How ever when I use this search for ITSI my result in KPIs is:

Screenshot 2022-12-28 151004.png

Anyone know why and how to fix this

Thank you for your help.

Labels (2)
0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! 

You should not use stats in a KPI search, in most cases that will never be needed. Reasons are:
1. ITSI itself is doing the "stats" for you.
2. stats if done wrong removes _time which might be the problem in you case. 

I would suggest changing your KPI search to something like: 

index=my_index sourcetype=my_type transaction=*
| eval has_transaction=1 

Now you can extract 2 KPIs depending on you use case, either sum of has_transaction (Number of logged transactions in past X min) or do a dc by transaction (Number of unique transaction in the past X min)

/Seb 

 

 

 

 

0 Karma
Get Updates on the Splunk Community!

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...