need to have the entitlement first. ... View more

Once you login to Splunkbase with your credentials, search IT Service Intelligence and you will be able to download it.  You can apply your license after install.  You must have the entitlement in splunk.com first and can't download if you didn't buy it. ... View more

Are you trying to restrict access to the service view, or the underlying data the search returns?  Metrics have no real private info except a host name so not really sure why you are restricting this way.  Use teams instead from within ITSI to assign which services which members can see. ... View more

Ok so you need to first, make sure you are not using an alias field in any entity that is not unique.  Every entity alias must be a unique name just like a unique entity name.  Also make sure those other fields in your lookup table are entity information fields in your entity. When you have it set, inside of the service, under the entity tab, change the field name to 'Info' and then choose the service name value and on the right side enter what service name you want to include.  This allows you to filter by that information field and not a field in the raw data.  You just need to be sure that inside of your KPI search, you do the exact same lookup in your search command so that the field actually exists in the search returned. ... View more

You can do this filtering but the alias field must be unique or you will have duplicate entities.   Do you have access to a lookup where are you could list out the service name and which servers support each?  You could then do a look up and an entity import search that pose in a service name and then in your entity filter you just use that.   If you’d like to have a  session and I could show you let me know a good way to send you my info. ... View more

Hey I will load this on my env and take a look and if it is a bug I will let the developer know. ... View more

You don't actually need to add this field to your entity or even make it an entity.  The 'split by' field is really just a field in the data that you want to split by for view purposes only.  The entity filter info is looking for data that comes in from the raw data and matches something in your entity table.  Best practice is not to do a combo field but pick something that can always identify that entity in the raw data.  I would switch your entity filter field back to something that is in entity table itself.  If you are trying to show a KPI that only shows certain entities for a service, you still need to make sure that in your entity properties you have something in there from the raw data that can also be matched when the KPI runs.  For instance if I want entities that have a field 'host123' AND 'app123' I need to go to my Entity Filter tab in the Service and add those two things in.  Entity split fields are not used to filter anything but rather to view the data in a diff way.  For instance if I have 404 errors I may want to see them by host and by JVM.  To accomplish this I have one KPI that has 'host' in the entity split field, and another KPI that has the 'uri' in the split by field.  Hope that helps. ... View more

You are getting multiple episodes because once you get an up or a clear, it breaks and no more NE's can enter that episode.  If you are getting a lot of episodes you may consider using a KPI instead and only create alerts when the KPI turns red. ... View more

Few things to check:  Are the episodes truly duplicate (same exact number of events, same events, same timestamp)? Check in your agg policy breaking rules - what is in there?  Make sure that it's not set to 'break for event that is normal or when flow of events is paused for - if a normal event comes in or it hits that time limit, it will break the episode and start anew.  Also is there more than one agg policy that the trap would match when it comes in?  NE's can make it into multiple episodes IF they match more than one agg policy filter.  For instance, if my filter just says:  Severity >= Normal and snmp_name =* and then I have another agg policy with a similar filter but maybe just the Severity >= Normal, the trap will match two agg policies and end up in both.  Can you post a screenshot of your breaking rules and your ACTION tab? ... View more

Check that the box for 'filter entities by' matches the field you are using for entity rules.  The split by is not a filter so you should be able to split by the same field name. For instance if you are filtering entities by 'host' that is the same field you would put into the split field.   What types of metrics are you trying to add?  Make sure that in your base search for per entity you use sum, and for aggregate you use average.   ... View more

You just need to create a KPI inside of each service that counts NEAPS.  Something like this for your KPI search:   index=itsi_grouped_alerts service_name="Put your service name here"   For your split by field you want to use the itsi_group_id   For your calculation use distinct count or count.  Then you just drag that KPI to your glass table.   ... View more

Do you have an email address I can send contact info or an invite to slack? ... View more

If you are sure that even in the itsi_summary index that the groupid's for the ones retrieved via rest are NOT there, then I'd open a support case. ... View more

Also if you search the. index=itsi_grouped_alerts do you see the groupID of the same episodes you got from the REST API?   ... View more

Need more info on your filter.  What is set for Status Filter and Severity Filter? ... View more

They are timing out because of how many objects are in the KV Store.  Make sure you clean the KV store first and then you can change the default timeout of 12 hours.  The instructions are listed here:https://docs.splunk.com/Documentation/ITSI/4.5.0/Configure/Restore ... View more

When you look in the episode that is created when a KPI is alerting, do you see service_name in the common fields?  When you upgraded, did you clean your KV store first? ... View more

If you search the index itsi_summary do you see a consistent writing of events to the summary index?  Also if you go to time picker and choose 15 min, does anything show? ... View more

ITSI license is calculated by the events or data written to the itsi summary index.  It doesn't charge for what is ingested in to splunk rather what ITSI is ingesting into it's engine.  You need to look at how much data is being written to the itsi_summary index each day and that is your daily ingest. ... View more

In your actions of your agg policy you need to choose:  if the events in this episode are exactly equal to 1 and that way it creates one episode, not one every time a NE is added.  This way all subsequent NE's are in the episode and linked to ONE Servicenow Incident. ... View more

You can use this content pack:https://docs.splunk.com/Documentation/ITSICP/current/Config/AboutMA and it has corr searches that bring back KPI status.  You can use these as your starting point.  It will not tell you what the threshold is, rather if it is passed.  You don't need to pull the threshold setting you need to pull whether it has passed the threshold and then you can alert on it. ... View more

Are there really 9,000 unique entities that are related to a service?  Make sure that in your adhoc search you are deduping on the host name or entity title name.  If you want to manually add them from a csv, you need to have a field that designates the service they are supposed to be related to.  Best practice is to use something in the actual data of the entity that shows they should be part of a service and NOT a host name because then it is not dynamic.  If you are importing via a search and you have a large number of entities that already exist, it may fail because it is trying to update existing ones.  9K entities is a large number so make sure you are deduping in your ad hoc search. ... View more

I understand groups want their 'stuff' separate from others BUT this doesn't mean you have to create separate services.  Best practice, don't create services based on how people work, create them based on their dependency of the components.  You can still give them a view of their own stuff either through a Glass Table OR you can create views in Service Analyzer, Deep Dives or Episodes.  Personally I like Glass tables because you can create boxes and show whatever you want based on a splunk search.  Instead of dragging over a KPI that may have entities they don't care about, instead write a search pulling from itsi_summary index and filter to the entities you do care about.  This allows them to see just what they care about without you breaking a service apart to accomodate how they work.  Best practice, if you are measuring the same thing on 5 hosts that serve the same purpose (app servers, web servers, databases, or business service) that is one service. For entities and entity filtering you always want to try and filter by something other than a host name.  If you use only a host name or even an alias with the combo of a host and something else, you move towards 'static' membership.  If instead you create enrichment fields that you can then filter by, then membership becomes dynamic.  For instance, if you have a host naming convention on something like this  CHDBBNK3455 where the first two characters are the location (Chicago), the 2nd two are the role (Database), the 3rd are the apps it serves or service (Banking) you can regex those into new fields and create a lookup.  OR if you have info from a cmdb you can create a lookup.  Then you do entity import searches that are scheduled like this:  index=main host=* |lookup myenrichmentdata.csv host ON host.   This is basically saying..."hey lookup this is who I am, what do you know about me?" and all the fields in the lookup become enrichment in your entities.   This way if you wanted to create some view based on something like Support group, you can easily filter by those fields.  They become dynamic instead of static because you schedule it so when a new host starts reporting in, it too will do the lookup, pull it's new info, and then be imported in as an entity.  You never want to have duplicate entites even if the name is different and the underlying 'machine' or CI is the same thing because it will throw of your aggregate health scores.  Hope that helps! ... View more