Splunk ITSI
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk IT Service Intelligence: Why are KPIs defined Base Search different from when the same KPIs are opened from Deep Dive?

venkatesh296
Explorer
‎01-05-2017 11:40 AM

Hi Everyone,
In our Splunk IT Service Intelligence (ITSI) environment, some KPIs are defined with Base Search which was defined in KPI Base Search under configure. But when I open the same KPI from deep dives, the search is different? please help me.

Thanks.

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-21-2017 11:38 AM

@venkatesh296 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and up-vote any answers that were helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply

skadadi_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 01:14 PM

They are different because the data that needs to be represented on Deep Dive is different. The underlying results of the search is the same its just that we need to do something different in Deep Dive to represent data in a time series format. If you notice the first part of the search should be identical. After the first pipe we basically do some transformations to the data to represent it in a format that deep dive understands.

Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 12:59 PM

Can u paste what you are seeing as search string for base and deep dive? If you look at the KPI, go to the search & calculate tab, look at the search. At the bottom of that pop-up, click on "Generated Search". That is the actual search for that specific KPI (even though the base search runs only once for all KPIs). The "generated search" is the same search that will be used when, from a deep dive, you choose "Open in search" from the deep dive. Hope this helps.

Reply

venkatesh296
Explorer
‎01-06-2017 08:47 AM

I would like to know how to edit Generated search?

Thanks.

0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎01-06-2017 09:13 AM

I don't believe you can edit the generated search directly. The generated search is what splunk will run and is based on your KPI search configuration (base search, data model, or ad hoc). As for the deep dive view, I think what is used to populate the swim lanes is the generated search w/a sparkline command ( something like: your_kpi_search | stats sparkline .....)

0 Karma
Reply

venkatesh296
Explorer
‎01-05-2017 02:22 PM

Thank you. But I'm curious to know how was that generated search itself generate that search. Or we need to do anything for that?

Thanks in advance.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top