ITSI | itsi_service_id to service name mapping?

cspires64 · ‎06-20-2017

I want to query the summary index and pull back KPIs with high alert severity. However, in order to do this I have to first search and find the itsi_service_id. I know there has to be a mapping somewhere in ITSI that maps itsi_service_id to actual the service name. The below out of the box saved search uses command |gethealth to provide the service name and itsi_service_id, but this command is very specific to service health scores. Is there a lookup or KV store command I can use that already maps the itsi_service_id to the itsi service name?

Out of the box saved search: service_health monitor
no_health_score_data service_level_max_severity_event_only | stats latest(urgency) AS urgency latest(alert_level) AS alert_level latest(alert_severity) as alert_name latest(service) AS service latest(is_service_in_maintenance) AS is_service_in_maintenance latest(kpi) AS kpi by kpiid, serviceid | gethealth | gettime

My Current Query
index="itsi_summary" itsi_service_id="4bcf750c-f9c2-4149-8c3d-acdbd9a734c0" kpi=* alert_severity=high

I want to replace "itsi_service_id="blah blah" with service="Proper Service Name"

anapier_splunk · ‎10-18-2017

I hope you found this already so for those following this is what I use:

index=itsi_summary [|`service_kpi_list` | search service_name="blah blah" kpi_name=* | fields kpiid | format ]

While this does what you asked for I provided the kpiid mapping here because this will return all kpi ids for the named service but it can also be used with a single kpi or subset to get specific kpi records.

ITSI | itsi_service_id to service name mapping?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!