Skip to main content


Splunk Lantern

Working with service insights in ITSI


A service is a set of interconnected applications and hosts that are configured to offer a specific service to the organization. These services can be internal — an organization’s email system— or external —an organization’s website. 

You can create business and technical services that model those within your environment. Some services might have dependencies on other services. Services contain Key Performance Indicators (KPIs), which make it possible to monitor service health via service health scores, perform root cause analysis, receive alerts, and ensure that your IT operations are in compliance with business service-level agreements (SLAs).   

ITSI’s Service Insights allow you to create glass tables to help you monitor real-time interrelationships and dependencies via KPIs and service health scores across your IT and business services in one view. Glass tables also feature a drawing canvas where you can add visualizations in the form of KPIs and service health scores, upload images and icons, and add charts.

Another glass table used to evaluate business, operational and SLA performances, along with infrastructure status. 

Service Insights also enables you to create and use four kinds of dashboards: infrastructure overview, service analyzer, deep dives, and predictive analytics. 

Infrastructure Overview Dashboards provide a consolidated view of all your data integrations and investigation tools for operating systems, virtual infrastructures, containers, and cloud services. 

Service Analyzer Dashboards help you map dependencies based on a connection between devices and applications in a tile or topology view. You can visually correlate services to underlying infrastructure with a tile or tree view. You are also able to drill down to the code level and identify root causes directly from service monitoring dashboards.

Deep Dives Dashboards are an investigative tool to help you identify and analyze issues in your IT environment. 

Deep dives display a side-by-side view of KPIs and service health scores over time to help you zoom in on metric and log data and visually correlate root cause. 

Use side-by-side displays of multiple KPIs and correlate metrics over time to identify root causes.

Predictive Analytics Dashboards predict future incidents 30 minutes in advance using machine learning algorithms and historical service health scores.

Top five contributing service metrics are displayed to guide troubleshooting.

To learn more about these data models, see the Splunk ITSI interactive demo

The following are included: Glass Tables (step 1/8), Predictive Analytics Dashboard (step 2/8), Service Analyzer Dashboard (step 5/8), and Deep Dive Dashboard (step 6/8).

Service Modeling and Service Decomposition 

Before you are ready to set up your dashboards and services in Splunk ITSI, it’s important to identify what services will provide the most value.

Best Practices for selecting the right services to apply in Splunk ITSI

Screen Shot 2021-09-01 at 7.37.36 PM.png

To learn more, see the Tech Talk: Service Decomposition.

Create KPIs for Your Services

Every service you map in ITSI will have at least one KPI. KPIs are recurring saved searches that return the value of an IT performance metric. They are created within a specific service and define everything needed to generate searches to understand the underlying data, including how to access, aggregate, and qualify with thresholds. There are two types of KPIs: business and technical.

Doing pre-work with service decomposition to correctly identify what services are most valuable to the organization is a good first step to identifying appropriate KPIs to map to these services. Please schedule time with your account team to go through the service decomposition workshop. 

Best Practices for Choosing KPIs

Screen Shot 2021-09-01 at 7.36.17 PM.png

Good KPIs have the following characteristics:

  • Provide data regularly
  • Self normalizing data
  • Data with deltas, not counters 

You can also use Splunk App for Content Packs and Content Packs for preconfigured services and KPIs. Here are some KPIS available in the Microsoft 365 Content Pack: 

Availability KPIs

Performance KPIs

Group Administration Activities KPIs

Login Activity KPIs

Office 365 Security & Compliance Center

  • Extended recovery
  • False positive
  • Investigating
  • Restoring service
  • Normal service 
  • Added delegation entry 
  • Added service principal 
  • Set company information
  • Set password policy 
  • Added group
  • Added member to group
  • Deleted group
  • Updated group 
  • Authentication methods
  • Distinct user sign-ins
  • Logins by region
  • Logon errors 
  • User agents
  • User types 
  • Mail flow
  • Elevation of exchange admin privilege
  • Unusual external user file activity
  • Potentially malicious URL click was detected

After you have your services, entity rules, KPIs, and service dependencies planned out, you can finally create services in ITSI! There are three ways to do so:

For more information regarding creating services, see the Service Insights Manual.

Get Started with Service Insights

Service Insights within Splunk ITSI consists of various dashboard views, alerts and metrics so that you can effectively monitor and map services within your organization. Here are some ways to get better acquainted with the various available features and views.

Tasks to tackle

Source: BSI workshop