Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Utilizing Sum, Average etc in ITSI Generic KPI

PotatoDataUser
Explorer
‎03-11-2025 06:45 AM

I have been having some trouble with Generic KPI setup in splunk ITSI

I have a query that returns data in the form of

Channel       Count
Channel1    1000
Channel2     800
Channel3     1200  and so on

So I wanted to setup a KPI that runs this query with the alert value being sum of all the "Count", heres how I configured it.

PotatoDataUser_0-1741700440761.pngPotatoDataUser_1-1741700500678.png


I enabled a 7 day backfill, I dont have any split by entity rules

I am able to see the alert value is being captured in the generated search from the KPI builder.

PotatoDataUser_2-1741700644900.png


But i am unable to see any KPI data or values being captured even when I let it sit for a while.

please help me with the setup. TIA

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-11-2025 06:49 AM

Hi @PotatoDataUser 

Are you wanting to break it down by Channel? Or are you looking for just a sum of all channels?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

PotatoDataUser
Explorer
‎03-11-2025 07:04 AM

Hi @livehybrid ,

For now I just want the sum of counts of all channels. I want to utilize the sum functionality of the KPI builder rather than modifying the query.

The only way I know how to do it for individual channels is to just modify the query searching for the said channel. I would really appreciate any alternative method on this.

Thanks.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-11-2025 07:12 AM

Okay @PotatoDataUser , so you have created the KPI but it isnt populating? Are you able to see any data for that KPI in itsi_summary index?

Reply

PotatoDataUser
Explorer
‎03-13-2025 05:26 AM

Hi @livehybrid 

So to days later I see this

PotatoDataUser_0-1741868741293.png

It says theres data being recorded in the KPI but simultaneously there is no data.

0 Karma
Reply

PotatoDataUser
Explorer
‎03-11-2025 07:25 AM

I am able to see the KPI logging the alert value accurately for this service.

PotatoDataUser_0-1741703070988.png

I just dont see the alert value being reflected in the graph for thresholding.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...