ITSI Base Search - Metrics and How they are Genera...

makelovenotwar · ‎08-15-2023

I am using the nix TA to report on Unix and Linux server health. I'm trying to learn how things work by using the "Monitoring Unix and Linux" content pack and looking at how KPIs and the itsi_summary_metrics work together. I am analyzing the NIX:OS:Performance.NIX-df base search and see that it is using a "metrics search" and can't find what field that base search is looking for in my data to generate any of the metrics - for example "Free MB /". When I look at my events index (in my case the index is "os"), I have the sourcetype of df but it does not have a "Free MB /" field. Is there a saved search generating the field that the base search will be using for that metric? I looked in saved searches, Fields, All configurations, but can't find anything. Perhaps I'm looking for the wrong thing? Am I thinking about this all wrong? I am new to ITSI and am going to take the ITSI course soon.

makelovenotwar · ‎08-16-2023

Not sure if this was the right solution, but on the base search, I changed it from "metrics search" to "ad-hoc" and the prepopulated search has eval statements that create the "Free MB /" and other fields, making my KPIs populate.

ITSI Base Search - Metrics and How they are Generated

configuration

using ITSI

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...