Splunk IT Service Intelligence

Splunk IT Service Intelligence: Why are KPIs defined Base Search different from when the same KPIs are opened from Deep Dive?

venkatesh296
Explorer

Hi Everyone,
In our Splunk IT Service Intelligence (ITSI) environment, some KPIs are defined with Base Search which was defined in KPI Base Search under configure. But when I open the same KPI from deep dives, the search is different? please help me.

Thanks.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@venkatesh296 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and up-vote any answers that were helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

skadadi_splunk
Splunk Employee
Splunk Employee

They are different because the data that needs to be represented on Deep Dive is different. The underlying results of the search is the same its just that we need to do something different in Deep Dive to represent data in a time series format. If you notice the first part of the search should be identical. After the first pipe we basically do some transformations to the data to represent it in a format that deep dive understands.

sshelly_splunk
Splunk Employee
Splunk Employee

Can u paste what you are seeing as search string for base and deep dive? If you look at the KPI, go to the search & calculate tab, look at the search. At the bottom of that pop-up, click on "Generated Search". That is the actual search for that specific KPI (even though the base search runs only once for all KPIs). The "generated search" is the same search that will be used when, from a deep dive, you choose "Open in search" from the deep dive. Hope this helps.

venkatesh296
Explorer

I would like to know how to edit Generated search?

Thanks.

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I don't believe you can edit the generated search directly. The generated search is what splunk will run and is based on your KPI search configuration (base search, data model, or ad hoc). As for the deep dive view, I think what is used to populate the swim lanes is the generated search w/a sparkline command ( something like: your_kpi_search | stats sparkline .....)

0 Karma

venkatesh296
Explorer

Thank you. But I'm curious to know how was that generated search itself generate that search. Or we need to do anything for that?

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...