Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why itsi_summary index fields - service & service_name are not showing in the itsi logs

Nisha18789
Builder
‎08-27-2020 08:00 AM

we are using ITSI version 4.4.2

I per the ITSI documentation, we should be having service_name field in the events , however its missing for all our services. We were using ITSI 2.1 before and have moved to the newer version few months ago and all the existing services were backed up and restored to the newer version.

https://docs.splunk.com/Documentation/ITSI/4.4.2/Configure/IndexRef

Existing event log sample of our ITSI kpi data:

08/27/2020 10:42:55 +0100, search_name="Indicator - f6e4106b7a49f3b882d7fff4 - ITSI Search", search_now=1598521380.000, info_min_time=1598521315.000, info_max_time=1598521375.000, info_search_time=1598521402.096, qf="", kpi="Test Kpi", kpiid=f6e4106b7a49f3b882d7fff4, urgency=11, serviceid="6fb709cc-b8e9-4fce-8ffe-16f24a775500", itsi_service_id="6fb709cc-b8e9-4fce-8ffe-16f24a775500", is_service_aggregate=1, is_entity_in_maintenance=0, is_entity_defined=0, entity_key=service_aggregate, is_service_in_maintenance=0, is_filled_gap_event=0, alert_color="#99D18B", alert_level=2, alert_value=0, itsi_kpi_id=f6e4106b7a49f3b882d7fff4, is_service_max_severity_event=1, alert_severity=normal, alert_period=1, entity_title=service_aggregate

Below is the expected event log as per newer ITSI version.

05/14/2020 13:40:00 +0100, search_name=disabled_kpis_healthscore_generator, search_now=1589460060.000, info_min_time=1589460000.000, info_max_time=1589460060.000, info_search_time=1589460078.816, kpi="Test kpi", color="#CCCCCC", kpiid=76e0d65b920711618c59571e, enabled=0, urgency=5, kpi_name="Test kpi", gs_kpi_id=76e0d65b920711618c59571e, serviceid="8e827332-35f7-435d-bae3-134e81e943f9", gs_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_is_service_max_severity_event=0, indexed_is_service_aggregate=1, itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", indexed_itsi_service_id="8e827332-35f7-435d-bae3-134e81e943f9", is_service_aggregate=1, is_entity_defined=0, entity_key=service_aggregate, alert_color="#CCCCCC", alert_level="-3", alert_value="N/A", itsi_kpi_id=76e0d65b920711618c59571e, kpi_urgency=5, search_name="Indicator-Disabled_kpis- ITSI search", is_service_max_severity_event=0, alert_severity=disabled, alert_period=5, entity_title=service_aggregate, indexed_itsi_kpi_id=76e0d65b920711618c59571e, service_name="Test service"

I want to know what could be the possible reasons behind this, and what is the easiest and preferred way to fix this, like can this be fixed when we upgrade to a higher version of ITSI?

Thanks in advance!

0 Karma
Reply

eduncan
Splunk Employee
Splunk Employee
‎08-28-2020 06:25 AM
Spoiler
When you look in the episode that is created when a KPI is alerting, do you see service_name in the common fields?  When you upgraded, did you clean your KV store first?
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...