Splunk ITSI

When using Splunk IT Service Intelligence (ITSI), how do I get a KPI Base search that filters by service title?

nickmew
Path Finder

I may be missing something obvious, but I can't figure this out.

I have many applications set up as services set up in ITSI, all of which have an Application ID set up as their Service Title.

I have a stream of data coming in, which gives various counts, that I want to use as a KPI against these Services, which also has the Application ID stamped against them.

This data does not have any Entity information against it, so I can't filter by Entities linked to the Service.

I don't want to have to manually create a new search for each and every Application for these KPIs — they number in the hundreds and new ones come along regularly. I want to have a KPI base search and use this on a template service, so it is created only once.

Essentially need a KPI base search that filters by Service Title. Any ideas?

0 Karma
1 Solution

dmillis
Splunk Employee
Splunk Employee

You can use the application IDs as entities. Import them into the ITSI master entity list (import via search is probably easiest), then for each of your application-based services, add a single filtered entity corresponding to the name of the service.

Examples for importing entities:
column appid (Import as Entity Title)
examples of these entities:
appid = web11
appid = fubar17
appid = backend42

Inside the service called "fubar17", specify an entity filter like this:
EntityTitle matches 'web11' (Alias 'appid' matches 'web11' will work, too)

Then, create a KPI base search which filters on entities, using field 'appid'.

For bonus points: you could set up a single app-based service with all the 'right' base-search KPIs, then use it to create a Service Template, then cookie-cutter create all of your other app-based services in a single 'bulk import' action. Very cool!

View solution in original post

0 Karma

dmillis
Splunk Employee
Splunk Employee

You can use the application IDs as entities. Import them into the ITSI master entity list (import via search is probably easiest), then for each of your application-based services, add a single filtered entity corresponding to the name of the service.

Examples for importing entities:
column appid (Import as Entity Title)
examples of these entities:
appid = web11
appid = fubar17
appid = backend42

Inside the service called "fubar17", specify an entity filter like this:
EntityTitle matches 'web11' (Alias 'appid' matches 'web11' will work, too)

Then, create a KPI base search which filters on entities, using field 'appid'.

For bonus points: you could set up a single app-based service with all the 'right' base-search KPIs, then use it to create a Service Template, then cookie-cutter create all of your other app-based services in a single 'bulk import' action. Very cool!

0 Karma

nickmew
Path Finder

Thanks - I was wondering whether this might be the way to go, but wanted to see if there was something clever 'under the bonnet' I was missing

0 Karma

dmillis
Splunk Employee
Splunk Employee

This IS the cleverness under the bonnet 🙂

0 Karma

nickmew
Path Finder

not being able to filter by a primary key seems more like an obvious functional gap to me, but hey, that's the RDBMS background in me 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...