Splunk ITSI

Splunk Infrastructure Monitoring add-on with ITSI

rabadel83
Loves-to-Learn

Hi,

I'm working with the Splunk Infrastructure Monitoring Add-on, collecting information from Splunk Observability Suite (aka SignalFX) on ITSI, using the "sim flow". I'm trying to build KPI Base searches using this command and the information that the add-on is collecting.

When I execute the following query:

| sim flow query="data('cpu.utilization', filter=filter('host', '*')).publish()"

From the events of this result, some of the events related to X hosts have a variable AWSUniqueId that I'd like to obtain. For other hosts this variable doesn't exist and so, it doesn't appear in the event.

Therefore, I've tried with the following simple query:
| sim flow query="data('cpu.utilization', filter=filter('host', '*')).publish()"
| chart values(AWSUniqueId) as AWSUniqueId by host

But sometimes I receive all the information (with the correlation of the values), and other times it just shows all the column of AWSUniqueId with empty values, even though if I check on the events the parameter is there. It looks strange since if I just execute the query sometimes it gives the results and other times don't. Has anybody faced this same issue? Could it be a bug on the add-on? Or is not allow what I'm trying to build with this data?

Thanks in advance!

Best Regards,
Raquel

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...