Utilizing Sum, Average etc in ITSI Generic KPI

PotatoDataUser

I have been having some trouble with Generic KPI setup in splunk ITSI

I have a query that returns data in the form of

Channel Count
Channel1 1000
Channel2 800
Channel3 1200 and so on

So I wanted to setup a KPI that runs this query with the alert value being sum of all the "Count", heres how I configured it.

I enabled a 7 day backfill, I dont have any split by entity rules

I am able to see the alert value is being captured in the generated search from the KPI builder.

But i am unable to see any KPI data or values being captured even when I let it sit for a while.

please help me with the setup. TIA

livehybrid

Hi @PotatoDataUser

Are you wanting to break it down by Channel? Or are you looking for just a sum of all channels?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

PotatoDataUser

Hi @livehybrid ,

For now I just want the sum of counts of all channels. I want to utilize the sum functionality of the KPI builder rather than modifying the query.

The only way I know how to do it for individual channels is to just modify the query searching for the said channel. I would really appreciate any alternative method on this.

Thanks.

livehybrid

Okay @PotatoDataUser , so you have created the KPI but it isnt populating? Are you able to see any data for that KPI in itsi_summary index?

PotatoDataUser

Hi @livehybrid

So to days later I see this

It says theres data being recorded in the KPI but simultaneously there is no data.

PotatoDataUser

I am able to see the KPI logging the alert value accurately for this service.

I just dont see the alert value being reflected in the graph for thresholding.

Utilizing Sum, Average etc in ITSI Generic KPI

using ITSI

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk