Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why itsi_summary index fields - service & service_name are not showing in the itsi logs

Nisha18789
Builder
‎08-27-2020 08:00 AM

we are using ITSI version 4.4.2

I per the ITSI documentation, we should be having service_name field in the events , however its missing for all our services. We were using ITSI 2.1 before and have moved to the newer version few months ago and all the existing services were backed up and restored to the newer version.

https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/IndexRef

Existing event log sample of our ITSI kpi data:

08/27/2020 10:42:55 +0100, search_name="Indicator - f6e4106b7a49f3b882d7fff4 - ITSI Search", search_now=1598521380.000, info_min_time=1598521315.000, info_max_time=1598521375.000, info_search_time=1598521402.096, qf="", kpi="Test Kpi", kpiid=f6e4106b7a49f3b882d7fff4, urgency=11, serviceid="6fb709cc-b8e9-4fce-8ffe-16f24a775500", itsi_service_id="6fb709cc-b8e9-4fce-8ffe-16f24a775500", is_service_aggregate=1, is_entity_in_maintenance=0, is_entity_defined=0, entity_key=service_aggregate, is_service_in_maintenance=0, is_filled_gap_event=0, alert_color="#99D18B", alert_level=2, alert_value=0, itsi_kpi_id=f6e4106b7a49f3b882d7fff4, is_service_max_severity_event=1, alert_severity=normal, alert_period=1, entity_title=service_aggregate

Below is the expected event log as per newer ITSI version.

05/14/2020 13:40:00 +0100, search_name=disabled_kpis_healthscore_generator, search_now=1589460060.000, info_min_time=1589460000.000, info_max_time=1589460060.000, info_search_time=1589460078.816, kpi="Test kpi", color="#CCCCCC", kpiid=76e0d65b920711618c59571e, enabled=0, urgency=5, kpi_name="Test kpi", gs_kpi_id=76e0d65b920711618c59571e, serviceid="8e827332-35f7-435d-bae3-134e81e943f9", gs_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_is_service_max_severity_event=0, indexed_is_service_aggregate=1, itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", is_service_aggregate=1, is_entity_defined=0, entity_key=service_aggregate, alert_color="#CCCCCC", alert_level="-3", alert_value="N/A", itsi_kpi_id=76e0d65b920711618c59571e, kpi_urgency=5, search_name="Indicator-Disabled_kpis- ITSI search", is_service_max_severity_event=0, alert_severity=disabled, alert_period=5, entity_title=service_aggregate, indexed_itsi_kpi_id=76e0d65b920711618c59571e, service_name="Test service"

I want to know what could be the possible reasons behind this, and what is the easiest and preferred way to fix this, like can this be fixed when we upgrade to a higher version of ITSI?

Thanks in advance!

0 Karma
Reply

eduncan
Splunk Employee
Splunk Employee
‎08-28-2020 06:25 AM
Spoiler
When you look in the episode that is created when a KPI is alerting, do you see service_name in the common fields?  When you upgraded, did you clean your KV store first?
0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...