Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ITSI | itsi_service_id to service name mapping?

cspires64
Path Finder
‎06-20-2017 12:21 PM

I want to query the summary index and pull back KPIs with high alert severity. However, in order to do this I have to first search and find the itsi_service_id. I know there has to be a mapping somewhere in ITSI that maps itsi_service_id to actual the service name. The below out of the box saved search uses command |gethealth to provide the service name and itsi_service_id, but this command is very specific to service health scores. Is there a lookup or KV store command I can use that already maps the itsi_service_id to the itsi service name?

Out of the box saved search: service_health monitor
no_health_score_data service_level_max_severity_event_only | stats latest(urgency) AS urgency latest(alert_level) AS alert_level latest(alert_severity) as alert_name latest(service) AS service latest(is_service_in_maintenance) AS is_service_in_maintenance latest(kpi) AS kpi by kpiid, serviceid | gethealth | gettime

My Current Query
index="itsi_summary" itsi_service_id="4bcf750c-f9c2-4149-8c3d-acdbd9a734c0" kpi=* alert_severity=high

I want to replace "itsi_service_id="blah blah" with service="Proper Service Name"

Reply

anapier_splunk
Splunk Employee
Splunk Employee
‎10-18-2017 12:56 PM

I hope you found this already so for those following this is what I use:

index=itsi_summary [|`service_kpi_list` | search service_name="blah blah" kpi_name=* | fields kpiid | format ]

While this does what you asked for I provided the kpiid mapping here because this will return all kpi ids for the named service but it can also be used with a single kpi or subset to get specific kpi records.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...