ITSI Base Search - Metrics and How they are Genera...

makelovenotwar · ‎08-15-2023

I am using the nix TA to report on Unix and Linux server health. I'm trying to learn how things work by using the "Monitoring Unix and Linux" content pack and looking at how KPIs and the itsi_summary_metrics work together. I am analyzing the NIX:OS:Performance.NIX-df base search and see that it is using a "metrics search" and can't find what field that base search is looking for in my data to generate any of the metrics - for example "Free MB /". When I look at my events index (in my case the index is "os"), I have the sourcetype of df but it does not have a "Free MB /" field. Is there a saved search generating the field that the base search will be using for that metric? I looked in saved searches, Fields, All configurations, but can't find anything. Perhaps I'm looking for the wrong thing? Am I thinking about this all wrong? I am new to ITSI and am going to take the ITSI course soon.

makelovenotwar · ‎08-16-2023

Not sure if this was the right solution, but on the base search, I changed it from "metrics search" to "ad-hoc" and the prepopulated search has eval statements that create the "Free MB /" and other fields, making my KPIs populate.

ITSI Base Search - Metrics and How they are Generated

configuration

using ITSI

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?