Splunk ITSI

Splunk IT Service Intelligence: Why am I not getting any data in the threshold section using the stats command in this search?

Jfilipek
New Member

I'm using Splunk IT Service Intelligence and this search:

(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT,  max(Value) as PACE | eval Delta=(PACE - RUNCOUNT) 

Using the Splunk search app, I see values for the three, but using ITSI, and what I believe to be the proper threshold field Delta, I am receiving no data in the threshold section. Am I doing something incorrectly?

0 Karma

0YAoNnmRmKDg
Path Finder

For future me, I thought i'd post the actual answer - after some amazing help, its actually very simple.....

to make a KPI to track errors....

make your search to filter results

index=main error* fail*

then in the "Threshold Field" to use

_time

and then set the "Service/Aggregate Calculation" to be "Count"

also remember to click the "Apply Adaptive Thresholding" button to apply the template chosen and job done!

tfletcher_splun
Splunk Employee
Splunk Employee

It is not technically supported to have a transforming/reporting search command such as stats in the KPI's base search. However it will still work if you append the "gettime" macro to your search.

The charts do not work because they are expecting a time field. Once you put in the gettime you will get one data point in the chart. Everything in the UI for the rest of the app will still work as long as you do not convert to "raw" and stick with the ITSI summary for powering visualizations. You can confirm that it will work by clicking on the "generated search" in the modal for KPI definition. That will open the search ITSI will be using in the search, if the results from that look good, then you are good to go!

For reference this is the modification I would recommend to your search:

(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT,  max(Value) as PACE | eval Delta=(PACE - RUNCOUNT) | `gettime`

sundareshr
Legend

Try converting them to number convert num(PACE) as PACE | convert num(RUNCOUNT) as RUNCOUNT | eval Delta=(PACE - RUNCOUNT)

0 Karma

nravichandran
Communicator

Can you try using the delta command? | delta RUN_COUNT as PACE

0 Karma

jagadeeshm
Contributor

Did you ever figure out an answer for this issue? I ran into the same and above comments did not help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...