Splunk ITSI

How to set KPI Search Schedule less than 1 minute?

nerdyboy99
Explorer

I know the KPI Search Schedule can only select items as mentioned in the picture.

But in case I want the information to be displayed faster by set the Search Schedule KPI to less than 1 minute, is there a way to do this?

nerdyboy99_0-1678694724256.png

 

Or if not, what is the best way to display information on Glass Table in the fastest way?

Because the information on the Glass Table has to wait for the KPI Search Schedule to complete their task while the raw data has been uploaded to Splunk before. This causes the Glass Table information to appear slower than the actual data (about 3 minutes according to my observations).

 

Thank you very much if anyone can help.

 

 

Labels (2)
0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

You could consider searching the raw data in the glass table instead of using the itsi kpi summary. 

Remember that the KPI will have a time unit. For example number of logins per minute the past one minute. If you change this KPI to be calculate every X seconds either change the KPI to calculate the number of logins for the past  X seconds as well. 

Also note that there will always be some ingestion delay, i.e. time from when an event/metrics was created to when splunk will be able to retrieve it from an index. Configuring ITSI to search to close to the current time can case KPIs to show up as "NA" since no data for that time was available at the time the search was executed. 

 

/Seb 

nerdyboy99
Explorer

I understand your suggestion of using search to extract data from the index without configuring it through KPIs, and I have given it some thought.

However, I would also like to display the health color of the Service on GT, which can only be calculated by ITSI and requires the KPIs to be configured there.

So it seems that accepting the delay on GT may be the only way to achieve this.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I am NOT suggesting replacing KPIs with searches.

Every KPI is powered by a search.  It's possible that those searches could be made more efficient (faster), therefore making the GT load faster.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

The search schedule cannot be less than 1 minute.

If it takes 3 minutes to render the Glass Table then perhaps the searches in the GT could be made more efficient.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...