Splunk IT Service Intelligence

What is the difference in ITSI thresholds between Preview Aggregate Threshold values compared to the configure thresholds values?

EricLloyd79
Builder

I am seeing a difference in data (see screenshots) between the data previewed in the Preview Aggregate Thresholds and the data previewed below it under the Configure Thresholds for Time Policy. Does anyone know why these values would be different? Is the top one some kind of average of something?
You can see in the screenshots that for Friday, October 15th, 2018 at 12:00:00 PM, the top one shows a value of 2149.83 and the bottom shows a value of 7138.

alt text

alt text

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

It should be whatever you sent the calculation metric to when developing the kpi value. Are you looking over the same time window in both screenshots?

Rather than measuring a value at a single point in time, it would be better to pick 2 points in time and measure the sum from both time values. You can also look in the itsi_summary index and create your own timechart based on the value to determine which screenshot is correct

View solution in original post

0 Karma

EricLloyd79
Builder

@skoelpin
After some investigation, it seems that the value in the Preview Aggregate Threshold takes a kpi value sample. You can see from my search using itsi_summary that I found a value of 16 for 1:00 am on 10/9. and below that you can see that in the Preview Aggregate Threshold window there is a value for 16.17. I thought perhaps the decimal indicated that it was an average but I added up the values in the last 5 mins before 1:00 am and it didn't come out to 16.17.
alt text

alt text

You can see also I ran a query and asked for the sum of the last 5 mins and this seems to match the values in the chart below where the actual thresholds are set. I wont let me add any more attachments but basicallly the numbers matched for a sum of last 5 mins with the bottom preview chart.

So it seems the Preview Aggregate Threshold is a sampling of a kpi despite what calculation you asked for in the Base search while the lower one near the actual input for the threshold is the calculation of the kpi that you asked for.

Interestingly enough, these two number seemed very close to each other when I asked for an Average in the KPI base search rather than a sum.

skoelpin
SplunkTrust
SplunkTrust

Nice research!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

It should be whatever you sent the calculation metric to when developing the kpi value. Are you looking over the same time window in both screenshots?

Rather than measuring a value at a single point in time, it would be better to pick 2 points in time and measure the sum from both time values. You can also look in the itsi_summary index and create your own timechart based on the value to determine which screenshot is correct

0 Karma

EricLloyd79
Builder

Sorry, what you are saying isn't making sense to me.
The first part did. Yes, I set the metric to SUM a particular KPI value. The bottom screenshot seems to display that metric correctly. The top one does not.

I dont understand your second recommendation. Why would I pick 2 points in time and measure the sum from both time values? Im trying to compare the data from one chart to another and verify it is the same data.

skoelpin
SplunkTrust
SplunkTrust

What I'm saying is you should measure the values over a span of time rather than a single point in time. You should run a timechart over the itsi_summary index for a set span of time and identify the value then compare it with your charts. You could be looking at different spans of time which may be leading to wrong values

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...