Re: How to setup the correlation search to make KP...

hidekikadowaki · ‎05-10-2023

Hello everyone

Now I'm trying to configure the alert of Multi-KPI and Single-KPI. But I don't have any idea about how to configure the correlation search to create the notable events for the status change of the single KPI (e.g. one KPI like CPU utilization or Memory usage in 1 service).

Could anyone teach me how to setup the correlation search for Single KPI in ITSI?

Thank you

srauhala_splunk · ‎06-12-2023

Hi!

Check out https://docs.splunk.com/Documentation/CPITSIMonitorAlert/2.2.0/CP/About for how to get started with correlation searches. This will give you the tools you need. For example "Service Monitoring - Sustained KPI Degradation (Recommended)" can be a good start.

To filter to specific to a specific service and or KPI use something like

| mstats latest(*) as * where index=itsi_summary_metrics 
    [| `service_kpi_list` 
    | search service_name="*" kpi_name=* 
    | fields kpiid 
    | rename kpiid as itsi_kpi_id
    | format ] by host span=1m
    is_entity_in_maintenance
    is_service_aggregate
    is_service_disabled
    is_service_in_maintenance
    is_service_max_severity_event
    itsi_kpi_id
    itsi_service_id
    itsi_team_id
    kpi_base_search
    kpi_importance

## OR from event index 
index=itsi_summary [|`service_kpi_list` | search service_name="*" kpi_name=* | fields kpiid | format ]
| lookup service_kpi_lookup _key as itsi_service_id OUTPUT title as service_name
| table _time kpi, alert_*, entity_* service*,indexed_is_service_aggregate

/Seb

How to setup the correlation search to make KPI's status change the notable events in IT Service Intelligence?

configuration

using ITSI

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?