Splunk ITSI

Why am I encountering issues in Splunk ITSI KPI setup?

anjchatt
New Member

Hello,
I am using old Hive DB log in ITSI, but while creating KPI I am getting an issue, I tried different functions like average/distinct etc during setting up KPI, but that is giving me some weird results.
For example, in my search query I am extracting all the failure counts due to connection timeout, but when I try to display that in ITSI,
that is not giving me expected answer. Please let me know how to handle that situation.

Regards,
Anjan

0 Karma

yannK
Splunk Employee
Splunk Employee

The reason why your KPI is not summarizing events is likely that your search is removing critical fields from the results.

Transformation commands are not allowed in a KPI.
see https://docs.splunk.com/Documentation/ITSI/latest/Configure/AddKPIs#Define_a_source_search_from_an_a...

The ad hoc search string that you create. This is the event gathering search for the KPI.
Note: The use of transforming commands, the mstats command, the gettime macro, or time modifiers in your KPI search is not recommended as this may cause issues with KPI backfill, the display of raw data on ITSI views such as glass tables and deep dives that allow you to run KPI searches against raw data, and the KPI threshold preview.

in your comment your search was :

("FAIL*" Connection timed out sourcetype="XXXXXX") date_minute="*" earliest=-2mon@mon latest=now| top limit=20 date_hour

The "top" command will remove all fields, except the "date_hour"
ITSI KPI needs to have at least the field "_time" preserved in your results to be able to do some calculations.
Also depending on the fields you are using for the KPI service aggregate, the entity calculation, and the entity filter, and the entity split by, you have to make sure that those fields are preserved.

0 Karma

ansif
Motivator

Require more details, can you paste the search,result and your expectations in ITSI.

0 Karma

anjchatt
New Member

Please find the query below, want to use date as KPI, every day how many failure due to connection time out issue.

("FAIL*" Connection timed out sourcetype="XXXXXX") date_minute="*" earliest=-2mon@mon latest=now| top limit=20 date_hour

I am expecting individual counts in KPI.

0 Karma

ansif
Motivator

Assume this search returns 20 events in 24 hours:

Check which field is unique in each event.Take that field as Threshold Field.In the calculation window count the field value gives you number of events.This gives you how many failures in 24 hours.Try to select time in ITSI KPI creation and not in Search itself. Let me know if you need any help.

NB:- If there is no time out in last 24 hours and you wish to show this KPI as normal then you need to select treat gap as Normal while creating KPI.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...