The reason why your KPI is not summarizing events is likely that your search is removing critical fields from the results. Transformation commands are not allowed in a KPI. see https://docs.splunk.com/Documentation/ITSI/latest/Configure/AddKPIs#Define_a_source_search_from_an_ad_hoc_search The ad hoc search string that you create. This is the event gathering search for the KPI. Note: The use of transforming commands, the mstats command, the gettime macro, or time modifiers in your KPI search is not recommended as this may cause issues with KPI backfill, the display of raw data on ITSI views such as glass tables and deep dives that allow you to run KPI searches against raw data, and the KPI threshold preview. in your comment your search was : ("FAIL*" Connection timed out sourcetype="XXXXXX") date_minute="*" earliest=-2mon@mon latest=now| top limit=20 date_hour The "top" command will remove all fields, except the "date_hour" ITSI KPI needs to have at least the field "_time" preserved in your results to be able to do some calculations. Also depending on the fields you are using for the KPI service aggregate, the entity calculation, and the entity filter, and the entity split by, you have to make sure that those fields are preserved. ... View more

Actually there is a problem in the latest eventgen where I had to comment out a line in a python file in order to get it to install. Once done I then ran into other issues creating an app and creating an eventgen.conf in local directory which was solved by: "What I've found is if you are on Windows copy eventgen.conf to locals folder and run icacls against it to change permissions. icacls C:\program files\Splunk\etc\apps\your app here\local\eventgen.conf /grant SYSTEM:F. Took me forever to figure this out. Also every time I edit the file I have to change perms again. Became such a pain that I wrote a c# service to watch for eventgen.conf changes and change perms automatically." ... View more