Skip to main content
Os artigos do Splunk Lantern estão agora disponíveis em português.
Splunk Lantern

Working with service insights in ITSI


With Splunk ITSI, you can not only monitor your service health but also your business health. You can give your people the data they need to make informed decisions fast, cutting your resolution times from hours to minutes. You can show what's broken, when it broke, why it broke, and you can know with certainty what that's affecting.

Splunk ITSI glass tables let you create a high high-level view that you can display in a NOC or anywhere convenient so people can self-serve for the status information they need. You can show how entities relate and interact with each other, key performance indicators (KPIs) tied to any number of metrics from those entities, aggregate health scores, dependencies, and more.

This visibility is great for executive reporting and frees you from emailing status updates, but it's great for service teams too. Imagine your web team and mobile team are both chasing down the same issue. They'll eventually reach the same conclusion that there's an issue with the databases that feed our authorization service. But how long do you think it'll take them both to arrive there with the tools you have today? With a properly configured Splunk ITSI deployment, you can look at the service analyzer and identify the problem within fifteen seconds, and maybe see another service that needs attention. You can then make correlations based on the dependencies you've configured and find the root cause almost as quickly.

Curious how? Watch the following demo to find out.

Service dashboards in Splunk ITSI

Service Insights enables you to create and use four kinds of dashboards: infrastructure overview, service analyzer, deep dives, and predictive analytics. 

  • Infrastructure Overview Dashboards provide a consolidated view of all your data integrations and investigation tools for operating systems, virtual infrastructures, containers, and cloud services. 
  • Service Analyzer Dashboards help you map dependencies based on a connection between devices and applications in a tile or topology view. You can visually correlate services to underlying infrastructure with a tile or tree view. You are also able to drill down to the code level and identify root causes directly from service monitoring dashboards.
  • Deep Dives Dashboards are an investigative tool to help you identify and analyze issues in your IT environment. Deep dives display a side-by-side view of KPIs and service health scores over time to help you zoom in on metric and log data and visually correlate root cause. Use side-by-side displays of multiple KPIs and correlate metrics over time to identify root causes.
  • Predictive Analytics Dashboards predict future incidents 30 minutes in advance using machine learning algorithms and historical service health scores. The top five contributing service metrics are displayed to guide troubleshooting.

Service modeling and service decomposition 

Before you are ready to set up your dashboards and services in Splunk ITSI, it’s important to identify what services will provide the most value.

Best practices for selecting the right services to apply in Splunk ITSI

Screen Shot 2021-09-01 at 7.37.36 PM.png

Create KPIs for your services

Every service you map in ITSI will have at least one KPI. KPIs are recurring saved searches that return the value of an IT performance metric. They are created within a specific service and define everything needed to generate searches to understand the underlying data, including how to access, aggregate, and qualify with thresholds. There are two types of KPIs: business and technical.

Doing pre-work with service decomposition to correctly identify what services are most valuable to the organization is a good first step to identifying appropriate KPIs to map to these services. Please schedule time with your account team to go through the service decomposition workshop. 

Best practices for choosing KPIs

Screen Shot 2021-09-01 at 7.36.17 PM.png

Good KPIs have the following characteristics:

  • Provide data regularly
  • Self normalizing data
  • Data with deltas, not counters 

You can also use Splunk App for Content Packs and Content Packs for preconfigured services and KPIs. Here are some KPIS available in the Microsoft 365 Content Pack: 

Availability KPIs

Performance KPIs

Group Administration Activities KPIs

Login Activity KPIs

Office 365 Security & Compliance Center

  • Extended recovery
  • False positive
  • Investigating
  • Restoring service
  • Normal service 
  • Added delegation entry 
  • Added service principal 
  • Set company information
  • Set password policy 
  • Added group
  • Added member to group
  • Deleted group
  • Updated group 
  • Authentication methods
  • Distinct user sign-ins
  • Logins by region
  • Logon errors 
  • User agents
  • User types 
  • Mail flow
  • Elevation of exchange admin privilege
  • Unusual external user file activity
  • Potentially malicious URL click was detected

After you have your services, entity rules, KPIs, and service dependencies planned out, you can finally create services in ITSI! There are three ways to do so:

For more information regarding creating services, see the Service Insights Manual.

Get started with Service Insights

Here are some ways to get better acquainted with the various available features and views.

Source: BSI workshop