Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Utilizing Sum, Average etc in ITSI Generic KPI

PotatoDataUser
Explorer
‎03-11-2025 06:45 AM

I have been having some trouble with Generic KPI setup in splunk ITSI

I have a query that returns data in the form of

Channel       Count
Channel1    1000
Channel2     800
Channel3     1200  and so on

So I wanted to setup a KPI that runs this query with the alert value being sum of all the "Count", heres how I configured it.

PotatoDataUser_0-1741700440761.pngPotatoDataUser_1-1741700500678.png


I enabled a 7 day backfill, I dont have any split by entity rules

I am able to see the alert value is being captured in the generated search from the KPI builder.

PotatoDataUser_2-1741700644900.png


But i am unable to see any KPI data or values being captured even when I let it sit for a while.

please help me with the setup. TIA

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Super Champion
‎03-11-2025 06:49 AM

Hi @PotatoDataUser 

Are you wanting to break it down by Channel? Or are you looking for just a sum of all channels?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

PotatoDataUser
Explorer
‎03-11-2025 07:04 AM

Hi @livehybrid ,

For now I just want the sum of counts of all channels. I want to utilize the sum functionality of the KPI builder rather than modifying the query.

The only way I know how to do it for individual channels is to just modify the query searching for the said channel. I would really appreciate any alternative method on this.

Thanks.

0 Karma
Reply

livehybrid
Super Champion
‎03-11-2025 07:12 AM

Okay @PotatoDataUser , so you have created the KPI but it isnt populating? Are you able to see any data for that KPI in itsi_summary index?

Reply

PotatoDataUser
Explorer
‎03-13-2025 05:26 AM

Hi @livehybrid 

So to days later I see this

PotatoDataUser_0-1741868741293.png

It says theres data being recorded in the KPI but simultaneously there is no data.

0 Karma
Reply

PotatoDataUser
Explorer
‎03-11-2025 07:25 AM

I am able to see the KPI logging the alert value accurately for this service.

PotatoDataUser_0-1741703070988.png

I just dont see the alert value being reflected in the graph for thresholding.

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...