Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get search into KPIs?

jacknguyen
Path Finder
‎12-28-2022 12:11 AM

I have a search: (index=.... sourcetype=....| stats count(transaction) as "Transaction")

Screenshot 2022-12-28 150639.png

How ever when I use this search for ITSI my result in KPIs is:

Screenshot 2022-12-28 151004.png

Anyone know why and how to fix this

Thank you for your help.

Labels (2)
Labels
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎01-04-2023 06:04 AM

Hi! 

You should not use stats in a KPI search, in most cases that will never be needed. Reasons are:
1. ITSI itself is doing the "stats" for you.
2. stats if done wrong removes _time which might be the problem in you case. 

I would suggest changing your KPI search to something like: 

index=my_index sourcetype=my_type transaction=*
| eval has_transaction=1 

Now you can extract 2 KPIs depending on you use case, either sum of has_transaction (Number of logged transactions in past X min) or do a dc by transaction (Number of unique transaction in the past X min)

/Seb 

 

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...