Splunk ITSI

ITSI Health Score Calculation - Can I stop Or skip a KPI Calculation Temporarily on demand ?.

satyab
Observer

@splunk Team,
In some cases I want to Skip a specific KPI calculation or Stop it from calculating its next value.

its more like Maintenance mode concept but limited to KPI not at service level?

Example- We had a issue with SPlunk and due to which few of Indexes were not populating due to forwarder issues or data injection . In that Case when we know that issue persist for a while rather than Reducing Importance of KPI that is change to the model , I was wondering if there is any means to stop that?

I dont like the idea to touch my PROD model config( importance for these issues I need way to suppress the alert, I need if we have any other config level thing for this?

Curious to know.

Other EXAMPLE - Any Splunk Injection level failure will impact model calculation , how to handle these?

Thanks
satya

Thanks

Labels (2)
0 Karma

dlm
Explorer

I know this is an old post. You probably already figured this out. Since there are new people who look at these feeds, I figured I would answer. At this point there is no way to disable a single KPI. You can put the whole service in maintenance to stop the KPI's however, it will stop all of them on that service. Any other changes you would do to stop it would mess with the configuration.

My suggestion is that if you feel like there should be an enhancement to the maintenance area that allows individual KPI's to be disabled, then submit the enhancement for a vote. Have all your friends and coworkers vote on it.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...