Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk IT Service Intelligence (ITSI) not showing all entities in Service Detail View?

paulstout
Path Finder
‎02-13-2017 02:53 PM

We have 104 entities configured under a specific service in Splunk IT Service Intelligence (ITSI). This service also has 21 KPIs assigned (including Service Health Score). When in the Service Detail view, only 46 entities show when selecting the individual KPIs -- for all 21 KPIs. All 104 entities show on the Service Editor view.

I investigated the generated search for one of the KPIs and found that all 104 hosts were represented in the generated search. This is the same for KPIs generated from a base search or ad-hoc search. We do not use data models for this service.

Why could this happen? My concern is that the aggregate KPIs are not accounting for all 104 entities and our service visibility may be hindered. Any help would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tfletcher_splun
Splunk Employee
Splunk Employee
‎02-17-2017 11:30 AM

It means the search for the data did not return the results. This can happen if in a particular run of the KPI there just wasn't data for some of those entities.

To debug you should check for a prior run of that KPI/run the generated search from the configuration page's KPI editing modal. You want to see if the entities are represented in those search results. You want to ensure that the data is present that would be mapped to those KPIs and that it arrives in time.

One common root cause is late arriving data, in the final step of the KPI there is a section for the monitoring lag and it has a check recommended lag link. Click that link to check for late arriving data.

View solution in original post

Reply
Solved! Jump to solution
Solution

tfletcher_splun
Splunk Employee
Splunk Employee
‎02-17-2017 11:30 AM

It means the search for the data did not return the results. This can happen if in a particular run of the KPI there just wasn't data for some of those entities.

To debug you should check for a prior run of that KPI/run the generated search from the configuration page's KPI editing modal. You want to see if the entities are represented in those search results. You want to ensure that the data is present that would be mapped to those KPIs and that it arrives in time.

One common root cause is late arriving data, in the final step of the KPI there is a section for the monitoring lag and it has a check recommended lag link. Click that link to check for late arriving data.

Reply
Solved! Jump to solution

paulstout
Path Finder
‎02-17-2017 11:34 AM

Yikes, thanks for the answer! I actually found what was going on in our environment -- someone or something (could have been a CSV import) had configured entities in our ITSI environment that had different names, but host=xxx for one of the alias fields overlapped with the entities I'd configured. Once I removed the duplicate entities, data began reporting against all 104 hosts.

Kinda stupid of me not to check, but I just didn't think that would happen and our entities were 15,000 strong at that point.

Lesson learned and great tips for investigating future issues, thank you!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...