Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk IT Service Intelligence: Why are KPIs defined Base Search different from when the same KPIs are opened from Deep Dive?

venkatesh296
Explorer
‎01-05-2017 11:40 AM

Hi Everyone,
In our Splunk IT Service Intelligence (ITSI) environment, some KPIs are defined with Base Search which was defined in KPI Base Search under configure. But when I open the same KPI from deep dives, the search is different? please help me.

Thanks.

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-21-2017 11:38 AM

@venkatesh296 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and up-vote any answers that were helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply

skadadi_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 01:14 PM

They are different because the data that needs to be represented on Deep Dive is different. The underlying results of the search is the same its just that we need to do something different in Deep Dive to represent data in a time series format. If you notice the first part of the search should be identical. After the first pipe we basically do some transformations to the data to represent it in a format that deep dive understands.

Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 12:59 PM

Can u paste what you are seeing as search string for base and deep dive? If you look at the KPI, go to the search & calculate tab, look at the search. At the bottom of that pop-up, click on "Generated Search". That is the actual search for that specific KPI (even though the base search runs only once for all KPIs). The "generated search" is the same search that will be used when, from a deep dive, you choose "Open in search" from the deep dive. Hope this helps.

Reply

venkatesh296
Explorer
‎01-06-2017 08:47 AM

I would like to know how to edit Generated search?

Thanks.

0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎01-06-2017 09:13 AM

I don't believe you can edit the generated search directly. The generated search is what splunk will run and is based on your KPI search configuration (base search, data model, or ad hoc). As for the deep dive view, I think what is used to populate the swim lanes is the generated search w/a sparkline command ( something like: your_kpi_search | stats sparkline .....)

0 Karma
Reply

venkatesh296
Explorer
‎01-05-2017 02:22 PM

Thank you. But I'm curious to know how was that generated search itself generate that search. Or we need to do anything for that?

Thanks in advance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...