Hello,
I'm currently having an issue with a new Splunk ITSI installation with entities not showing up in the service after KPI's are added. I recently completed the Implementing Splunk ITSI class they offer and set everything up according to how we did it in that class. Here's what I've gone through so far:
- Added all of my entities via the saved search that imports based on forwarders connected. This successfully identified and added all of my devices as entities (over 300 devices)
- I cloned the CPU and Memory searches that are built-in, verified the searches returned results, and then set the lag time to what was recommended by the search (348 seconds in my case)
- I then created the service, added my entities and linked my KPI Base Searches through the Generic KPI option.
- When setting the threshold of the KPI the Splunk instance was able to pull data for the entities over the last 60 minutes for what the KPI Base Search was supposed to be pulling
- Once I save and save and enable the service if I go to "View Health" it says no entities are available and all of the KPI's show N/A. Even though all of the searches work individually, and my entities are added and linked to the service (verified per the Entities page) there is nothing displayed here.
I've gone through all of the troubleshooting steps on the Splunk Wiki, verified that all of the Splunk for Linux/Unix options I need are enabled, sysstat is available on the servers, and so on. As far as I can see, everything looks correct. However, I cannot get past this issue and while I've reached out to Splunk Support on it they refuse to assist with even basic troubleshooting and want to charge me administrative fees. So, in my desperation I'm reaching out here to the community in the hope of getting some assistance with this issue.
Thanks in advance. If you need any other information please don't hesitate to let me know.
