Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make monitored object part of ITSI episode

Schroeder
Explorer
‎11-02-2021 06:42 AM

Hi!

Consider the following kpi base search monitoring the windows service state:

 

 

index=wineventlog sourcetype="WinEventLog:System" SourceName="Microsoft-Windows-Service Control Manager"
| rex field=Message "(The) (?<ServiceName>.+) (service entered the) (?<ServiceState>.+) "
| eval ServiceState=case(ServiceState=="running",2,ServiceState=="stopped",0,1==1,1)

 

 

 If I do not want to explicitly name the windows service in the base search how do I include the service name, here ServiceName, beside the entity_title=host in the later created ITSI episode.
Why? From the created episode we run a recovery action to restart a windows service when stopped. For this we need to know the service name and the host it is running on.

What we need is the entity_title=host and the whatsoever=ServiceName as dedicated fields available in the correlation search from this generic kpi base search. Performing an ITOA rest call is no problem.

Note: If I split by ServiceName then the service name becomes the entity_title and then the host is missing.

Maybe one having an idea which does help us. We just want to avoid creating one KPI per Windows Service.

Cheers

Peter

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...