Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ITSI, Service Analyzer

genesiusj
Builder
3 weeks ago

Hello,

NEW INFO BELOW

Looking a detailed doc/vid on Service Analyzer (SA). 

Having issues with permitting users an pre-filtered SA and blocking their ability to switch to another filter, or turn off filtering completely.

My flawed(?) understanding is there is really only a single SA which contains every service within ITSI. Using Teams, we should be able to create other SAs permitting permitting different access. However, that is not working; or I am missing something in the process. While I can save a new SA with the filter on service or tag in place; the user can click the X on the service or tag filter and see all services and tags available, including CPs, which they do not have read/write permissions to.

===================================

Here are some more details.

  • Created role tre_user, inherits from itoa_user.
  • Assigned my end users to that role.
    • Users can no longer edit and save our premade deep dives (DD). They can only modify and save as new DD; which is what we wanted them to be able to do.
  • When the tre_user logs in to ITSI they are taken to the default service analyzer (SA). We want them to be directed to a different SA. Also, don't want them to be able to access only a preset group of filters and flags within this assigned SA.
  • We are using the KPI base searches from the Monitoring Microsoft Windows Content Pack (CP). This worked without issue for our various services. However, we had to created an additional individual service for each entity.
    • 11 services covering 42 entities
    • 42 services, one for each entity
    • On our Glass table (GT) we have a main tab that displays all 11 services. These include KPIs for C: and 😧 drives as well as CPU and the Service Health Score (HS).
    • Clicking on the HS will open a new tab in the GT displaying the entities for that service with the individual KPIs for each entity. We had to create a separate service for each entity in order to use the threshold range colors from the KPIs. If we modify the KPI base searches by adding something like | where entity = "server_1", the search becomes an adhoc search and we lose the threshold ranges and colors. Therefore, we created use the base KPI search and in the entities tab we add only one entity. We have 42 entities; therefore, 42 additional services.

Here is the SA. We want the tre_user to see only the top section (11 services); while the the bottom section should not be visible in the SA, but accessible from the GT.Screenshot - 10_8_2025 , 10_27_51 AM.png

Checkout this forum question of WHY we need to an individual service for each entity.
Using Aliases in Deep Dives and with other ITSI components(?) 

Is there an easier way to do the above?

As a side question. Working with GT or Dashboard Studio (DS) we have come across some editing issues we did not experience in Classic Dashboards. We used to be able to develop in separate CD and then copy the rows/panels from these separate CDs into the main CD. Development was efficient.
Now with GT/DS, we can't do this. Only one developer at a time can work on the GT/DS. And if another developer left their GT/DS open, even if it was not in Edit mode; if they clicked Edit without refreshing or exiting and returning first, the first developers code was gone.
Any best practice tips on how you and your teams have handled this? It is really time consuming.

Thanks in advance and God bless,
Genesius

Labels (2)
Labels
0 Karma
Reply

danielbb
Motivator
2 weeks ago

It sounds like you want to restrict users to a specific, pre-filtered view in Service Analyzer and prevent them from removing or changing those filters.

To clarify, Service Analyzer itself is a single app that displays all services in ITSI, and filters applied through the UI are generally user-controlled. Teams and roles in ITSI control access to services and KPIs, but they don’t inherently restrict filter controls within Service Analyzer.

Some questions to better understand your setup:

  • Are you using ITSI Teams and roles to limit users’ permissions on specific services and KPIs?
  • How are you creating and sharing these filtered Service Analyzer views? Are these saved as bookmarks or dashboards?
  • Have you explored the “Service Visibility” settings in ITSI to restrict what services users can see?
  • Are users accessing Service Analyzer via direct URL with filters applied, or through the main ITSI navigation?

Getting clarity on these points can help determine if the behavior is expected or if additional permission configurations are needed.

If this helps, some karma would be appreciated!

Reply

genesiusj
Builder
Wednesday

@danielbb 

I've listed more details in my original post.

Here are answers to your questions.

  • Are you using ITSI Teams and roles to limit users’ permissions on specific services and KPIs?
    YES. Role tre_user has inherited permissions of itoa_user.
  • How are you creating and sharing these filtered Service Analyzer views? Are these saved as bookmarks or dashboards?
    There will be a landing page when the users access ITSI. This will be a GT with drilldown to SA, DD, and Entity Details.
  • Have you explored the “Service Visibility” settings in ITSI to restrict what services users can see?
    I believe I have done this. Would you mind elaborating more?
  • Are users accessing Service Analyzer via direct URL with filters applied, or through the main ITSI navigation?
    SA will be accessible from a GT.

Thanks and God bless,
Genesius

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @genesiusj 

I wonder if these pages help you in terms of SA? https://www.splunk.com/en_us/pdfs/getting-started/splunk-getting-started-with-itsi.pdf

https://docs.splunk.com/Documentation/ITSI/4.20.1/SI/AboutSA

https://help.splunk.com/en/splunk-it-service-intelligence/splunk-it-service-intelligence/visualize-a...

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

 

Reply

genesiusj
Builder
Wednesday

@livehybrid 
Thanks. I will check out those links.
I've listed more details in my original post.

God bless. 

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...