I'm using Splunk IT Service Intelligence and this search:
(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT, max(Value) as PACE | eval Delta=(PACE - RUNCOUNT)
Using the Splunk search app, I see values for the three, but using ITSI, and what I believe to be the proper threshold field Delta, I am receiving no data in the threshold section. Am I doing something incorrectly?
For future me, I thought i'd post the actual answer - after some amazing help, its actually very simple.....
to make a KPI to track errors....
make your search to filter results
index=main error* fail*
then in the "Threshold Field" to use
and then set the "Service/Aggregate Calculation" to be "Count"
also remember to click the "Apply Adaptive Thresholding" button to apply the template chosen and job done!
It is not technically supported to have a transforming/reporting search command such as stats in the KPI's base search. However it will still work if you append the "gettime" macro to your search.
The charts do not work because they are expecting a time field. Once you put in the gettime you will get one data point in the chart. Everything in the UI for the rest of the app will still work as long as you do not convert to "raw" and stick with the ITSI summary for powering visualizations. You can confirm that it will work by clicking on the "generated search" in the modal for KPI definition. That will open the search ITSI will be using in the search, if the results from that look good, then you are good to go!
For reference this is the modification I would recommend to your search:
(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT, max(Value) as PACE | eval Delta=(PACE - RUNCOUNT) | `gettime`