Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Utilizing Sum, Average etc in ITSI Generic KPI

PotatoDataUser
Explorer
‎03-11-2025 06:45 AM

I have been having some trouble with Generic KPI setup in splunk ITSI

I have a query that returns data in the form of

Channel       Count
Channel1    1000
Channel2     800
Channel3     1200  and so on

So I wanted to setup a KPI that runs this query with the alert value being sum of all the "Count", heres how I configured it.

PotatoDataUser_0-1741700440761.pngPotatoDataUser_1-1741700500678.png


I enabled a 7 day backfill, I dont have any split by entity rules

I am able to see the alert value is being captured in the generated search from the KPI builder.

PotatoDataUser_2-1741700644900.png


But i am unable to see any KPI data or values being captured even when I let it sit for a while.

please help me with the setup. TIA

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-11-2025 06:49 AM

Hi @PotatoDataUser 

Are you wanting to break it down by Channel? Or are you looking for just a sum of all channels?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

PotatoDataUser
Explorer
‎03-11-2025 07:04 AM

Hi @livehybrid ,

For now I just want the sum of counts of all channels. I want to utilize the sum functionality of the KPI builder rather than modifying the query.

The only way I know how to do it for individual channels is to just modify the query searching for the said channel. I would really appreciate any alternative method on this.

Thanks.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-11-2025 07:12 AM

Okay @PotatoDataUser , so you have created the KPI but it isnt populating? Are you able to see any data for that KPI in itsi_summary index?

Reply

PotatoDataUser
Explorer
‎03-13-2025 05:26 AM

Hi @livehybrid 

So to days later I see this

PotatoDataUser_0-1741868741293.png

It says theres data being recorded in the KPI but simultaneously there is no data.

0 Karma
Reply

PotatoDataUser
Explorer
‎03-11-2025 07:25 AM

I am able to see the KPI logging the alert value accurately for this service.

PotatoDataUser_0-1741703070988.png

I just dont see the alert value being reflected in the graph for thresholding.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...