Solved: Add KPI_Base_Search to ITSI through API Post

allisonwalther · ‎10-30-2017

Hello,

I was wondering if it is possible to add a KPI_Base_Search to a service's kpis? I know I can do it through the GUI, but I have about 500+ metrics that I need to add to my service. When I try to add a KPI to my service, it yells at me for not including a base_search. I don't want to add a kpi as an ad hoc search, but rather as a base search. Does anyone know what that sort of update would look like? Also, how do I get my kpi_base_search's base_search_metric?

Best,
Alli

allisonwalther · ‎11-09-2017

I found the answer. You need to include the information I have in the dictionary below. The most necessary part of those parameters is the "search_type". If this is not specified, it will default to an ad hoc search instead of using a kpi_base_search.

    payload['kpis'] = [{"base_search_id":baseSearchKey, "base_search_metric":metricKey, "title":kpiName,
                        "search_alert_earliest": 1, "alert_period":1, "is_entity_breakdown":True,
                        "entity_id_fields":"unlocode", "entity_alias_filtering_fields":"unlocode,san-id",
                        "is_service_entity_filter":True, "alert_lag":2, "unit":"", "entity_statop":"latest",
                        "aggregate_statop":"latest", "_key":baseSearchKey,
                        "base_search":baseSearch, "urgency":5,
                        "threshold_field":metric,"search_type":"shared_base"}]

Hope this can help someone else 🙂

View solution in original post

allisonwalther · ‎11-09-2017

I found the answer. You need to include the information I have in the dictionary below. The most necessary part of those parameters is the "search_type". If this is not specified, it will default to an ad hoc search instead of using a kpi_base_search.

    payload['kpis'] = [{"base_search_id":baseSearchKey, "base_search_metric":metricKey, "title":kpiName,
                        "search_alert_earliest": 1, "alert_period":1, "is_entity_breakdown":True,
                        "entity_id_fields":"unlocode", "entity_alias_filtering_fields":"unlocode,san-id",
                        "is_service_entity_filter":True, "alert_lag":2, "unit":"", "entity_statop":"latest",
                        "aggregate_statop":"latest", "_key":baseSearchKey,
                        "base_search":baseSearch, "urgency":5,
                        "threshold_field":metric,"search_type":"shared_base"}]

Hope this can help someone else 🙂

MVREID · ‎11-13-2017

just curious if you could also tell what endpoint you used? eg. /itoa_interface/service/....

MVREID · ‎01-17-2018

When you have multiple services using the base-search, how do you get it to generated unique "keys" for each of the KPIS?

allisonwalther · ‎01-18-2018

If I remember correctly, Splunk will auto generate these keys for you. I created my own unique value for _key: hashlib.sha224(baseSearchKey+metric_name).hexdigest(). Basically just a hash of the metric name concatenated with the Splunk generated key from my base search, the latter of which can be found by using Splunk's ITSI api.
When you go to look at the service you just created, you will notice that the service's summary will say that it has no KPI's. If you click on the service, you will see that the service has all the kpi's you just added. Then when you alter and save the service, Splunk will replace all of you hash generated keys with their own unique keys. The summary of the service will now reflect the actual amount of kpi's it has.
This was the only way I was able to hack this together. If you find a better way, please share 🙂

MVREID · ‎01-18-2018

This works great.
BTW, if you also set the service to 'enabled': 0, effectively disabling the service, when you add the base search, all you then have to do is go into the UI and quickly Enable it instead of opening it and changing something.

The KPI is then recognized.

allisonwalther · ‎01-18-2018

Ooo good to know, I'll have to change my implementation a little bit. Thanks for sharing!

MVREID · ‎01-18-2018

Thanks! Figured it was going to take some hacky way to make it work.

What would be really nice is for the API to expose whatever happens when you Clone a KPI, then all items would be populated correctly.

allisonwalther · ‎11-13-2017

I used /itoa_interface/service -H "Content-Type: application/json" -X POST -d
I was creating services from scratch, but I suppose you could also update a preexisting service with a JSON payload of your kpis.

skoelpin · ‎10-30-2017

You need to configure the base search first then reference the base search in each KPI.

You can do that by going to Configure>Base Search

allisonwalther · ‎10-30-2017

I did, I have kpi_base_search objects all set up. Now I want to link them to a service through the api. How would I go about doing that? I was assuming it would something like
curl -k -u admin:password https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/

Add KPI_Base_Search to ITSI through API Post

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM