Splunk IT Service Intelligence

Splunk IT Service Intelligence: Why am I not getting any data in the threshold section using the stats command in this search?

Jfilipek
New Member

I'm using Splunk IT Service Intelligence and this search:

(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT,  max(Value) as PACE | eval Delta=(PACE - RUNCOUNT) 

Using the Splunk search app, I see values for the three, but using ITSI, and what I believe to be the proper threshold field Delta, I am receiving no data in the threshold section. Am I doing something incorrectly?

0 Karma

0YAoNnmRmKDg
Path Finder

For future me, I thought i'd post the actual answer - after some amazing help, its actually very simple.....

to make a KPI to track errors....

make your search to filter results

index=main error* fail*

then in the "Threshold Field" to use

_time

and then set the "Service/Aggregate Calculation" to be "Count"

also remember to click the "Apply Adaptive Thresholding" button to apply the template chosen and job done!

tfletcher_splun
Splunk Employee
Splunk Employee

It is not technically supported to have a transforming/reporting search command such as stats in the KPI's base search. However it will still work if you append the "gettime" macro to your search.

The charts do not work because they are expecting a time field. Once you put in the gettime you will get one data point in the chart. Everything in the UI for the rest of the app will still work as long as you do not convert to "raw" and stick with the ITSI summary for powering visualizations. You can confirm that it will work by clicking on the "generated search" in the modal for KPI definition. That will open the search ITSI will be using in the search, if the results from that look good, then you are good to go!

For reference this is the modification I would recommend to your search:

(index=mtparam mtparam=Fabwide:NON-DELETABLE sourcetype=Realtime30MinPaceByArea) OR sourcetype=*RUN_count* | stats max(RUN_COUNT) as RUNCOUNT,  max(Value) as PACE | eval Delta=(PACE - RUNCOUNT) | `gettime`

sundareshr
Legend

Try converting them to number convert num(PACE) as PACE | convert num(RUNCOUNT) as RUNCOUNT | eval Delta=(PACE - RUNCOUNT)

0 Karma

nravichandran
Communicator

Can you try using the delta command? | delta RUN_COUNT as PACE

0 Karma

jagadeeshm
Contributor

Did you ever figure out an answer for this issue? I ran into the same and above comments did not help.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...