Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

When using Splunk IT Service Intelligence (ITSI), how do I get a KPI Base search that filters by service title?

nickmew
Path Finder
‎11-02-2018 03:56 AM

I may be missing something obvious, but I can't figure this out.

I have many applications set up as services set up in ITSI, all of which have an Application ID set up as their Service Title.

I have a stream of data coming in, which gives various counts, that I want to use as a KPI against these Services, which also has the Application ID stamped against them.

This data does not have any Entity information against it, so I can't filter by Entities linked to the Service.

I don't want to have to manually create a new search for each and every Application for these KPIs — they number in the hundreds and new ones come along regularly. I want to have a KPI base search and use this on a template service, so it is created only once.

Essentially need a KPI base search that filters by Service Title. Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmillis
Splunk Employee
Splunk Employee
‎11-02-2018 05:51 AM

You can use the application IDs as entities. Import them into the ITSI master entity list (import via search is probably easiest), then for each of your application-based services, add a single filtered entity corresponding to the name of the service.

Examples for importing entities:
column appid (Import as Entity Title)
examples of these entities:
appid = web11
appid = fubar17
appid = backend42

Inside the service called "fubar17", specify an entity filter like this:
EntityTitle matches 'web11' (Alias 'appid' matches 'web11' will work, too)

Then, create a KPI base search which filters on entities, using field 'appid'.

For bonus points: you could set up a single app-based service with all the 'right' base-search KPIs, then use it to create a Service Template, then cookie-cutter create all of your other app-based services in a single 'bulk import' action. Very cool!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dmillis
Splunk Employee
Splunk Employee
‎11-02-2018 05:51 AM

You can use the application IDs as entities. Import them into the ITSI master entity list (import via search is probably easiest), then for each of your application-based services, add a single filtered entity corresponding to the name of the service.

Examples for importing entities:
column appid (Import as Entity Title)
examples of these entities:
appid = web11
appid = fubar17
appid = backend42

Inside the service called "fubar17", specify an entity filter like this:
EntityTitle matches 'web11' (Alias 'appid' matches 'web11' will work, too)

Then, create a KPI base search which filters on entities, using field 'appid'.

For bonus points: you could set up a single app-based service with all the 'right' base-search KPIs, then use it to create a Service Template, then cookie-cutter create all of your other app-based services in a single 'bulk import' action. Very cool!

0 Karma
Reply
Solved! Jump to solution

nickmew
Path Finder
‎11-02-2018 06:50 AM

Thanks - I was wondering whether this might be the way to go, but wanted to see if there was something clever 'under the bonnet' I was missing

0 Karma
Reply
Solved! Jump to solution

dmillis
Splunk Employee
Splunk Employee
‎11-02-2018 03:15 PM

This IS the cleverness under the bonnet 🙂

0 Karma
Reply
Solved! Jump to solution

nickmew
Path Finder
‎11-05-2018 01:20 AM

not being able to filter by a primary key seems more like an obvious functional gap to me, but hey, that's the RDBMS background in me 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...