Splunk ITSI

Splunk IT Service Intelligence: Why are KPIs defined Base Search different from when the same KPIs are opened from Deep Dive?

venkatesh296
Explorer

Hi Everyone,
In our Splunk IT Service Intelligence (ITSI) environment, some KPIs are defined with Base Search which was defined in KPI Base Search under configure. But when I open the same KPI from deep dives, the search is different? please help me.

Thanks.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@venkatesh296 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and up-vote any answers that were helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

skadadi_splunk
Splunk Employee
Splunk Employee

They are different because the data that needs to be represented on Deep Dive is different. The underlying results of the search is the same its just that we need to do something different in Deep Dive to represent data in a time series format. If you notice the first part of the search should be identical. After the first pipe we basically do some transformations to the data to represent it in a format that deep dive understands.

sshelly_splunk
Splunk Employee
Splunk Employee

Can u paste what you are seeing as search string for base and deep dive? If you look at the KPI, go to the search & calculate tab, look at the search. At the bottom of that pop-up, click on "Generated Search". That is the actual search for that specific KPI (even though the base search runs only once for all KPIs). The "generated search" is the same search that will be used when, from a deep dive, you choose "Open in search" from the deep dive. Hope this helps.

venkatesh296
Explorer

I would like to know how to edit Generated search?

Thanks.

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I don't believe you can edit the generated search directly. The generated search is what splunk will run and is based on your KPI search configuration (base search, data model, or ad hoc). As for the deep dive view, I think what is used to populate the swim lanes is the generated search w/a sparkline command ( something like: your_kpi_search | stats sparkline .....)

0 Karma

venkatesh296
Explorer

Thank you. But I'm curious to know how was that generated search itself generate that search. Or we need to do anything for that?

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...