Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk IT Service Intelligence: Why are KPIs defined Base Search different from when the same KPIs are opened from Deep Dive?

venkatesh296
Explorer
‎01-05-2017 11:40 AM

Hi Everyone,
In our Splunk IT Service Intelligence (ITSI) environment, some KPIs are defined with Base Search which was defined in KPI Base Search under configure. But when I open the same KPI from deep dives, the search is different? please help me.

Thanks.

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-21-2017 11:38 AM

@venkatesh296 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and up-vote any answers that were helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply

skadadi_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 01:14 PM

They are different because the data that needs to be represented on Deep Dive is different. The underlying results of the search is the same its just that we need to do something different in Deep Dive to represent data in a time series format. If you notice the first part of the search should be identical. After the first pipe we basically do some transformations to the data to represent it in a format that deep dive understands.

Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 12:59 PM

Can u paste what you are seeing as search string for base and deep dive? If you look at the KPI, go to the search & calculate tab, look at the search. At the bottom of that pop-up, click on "Generated Search". That is the actual search for that specific KPI (even though the base search runs only once for all KPIs). The "generated search" is the same search that will be used when, from a deep dive, you choose "Open in search" from the deep dive. Hope this helps.

Reply

venkatesh296
Explorer
‎01-06-2017 08:47 AM

I would like to know how to edit Generated search?

Thanks.

0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎01-06-2017 09:13 AM

I don't believe you can edit the generated search directly. The generated search is what splunk will run and is based on your KPI search configuration (base search, data model, or ad hoc). As for the deep dive view, I think what is used to populate the swim lanes is the generated search w/a sparkline command ( something like: your_kpi_search | stats sparkline .....)

0 Karma
Reply

venkatesh296
Explorer
‎01-05-2017 02:22 PM

Thank you. But I'm curious to know how was that generated search itself generate that search. Or we need to do anything for that?

Thanks in advance.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...