Skip to main content
Splunk Lantern

Adopting ITSI capabilities strategically


Splunk ITSI has many powerful features and capabilities that can improve your business operations. It can be tempting to deploy all of them at once for maximum impact. Doing so, however, can lead to more problems than it solves, causing scalability issues, skipped searches, and an overwhelmed and frustrated support staff.


Take a careful and intentional approach to adopting Splunk ITSI features. Here are four capabilities to be thoughtful about deploying:

  1. Service and KPI creation. Don't create too many services with meaningless KPIs. Use the Golden Signals to create an effective monitoring strategy that won't overwhelm your teams.
  2. Adaptive thesholding and time-based policies. Not every KPI needs these granular adjustments. Some services might be consistent, regardless of time of day or day of the week. Excess configuration in these cases adds unnecessary complexity. 
  3. Anomaly detection. Not every KPI has a clear pattern, and some spikes are not actually anomalous. Trying to apply anomaly detection to every KPI can result in meaningless data, and create distractions and noise.
  4. Correlation searches and notable event aggregation policies (NEAPs). If you enable all correlation searches without considering whether they are applicable, you are going to create a lot of noise and make your data hard to decipher. Assess whether the included correlation searches are relevant to your services and use cases. Similarly, creating NEAPs where they are not needed also makes your data harder to use.

Next steps

This content comes from the .Conf23 session, The Definitive List of Best Practices for Splunk® IT Service Intelligence: How to Configure, Administer, and Use ITSI for Optimal Results. In the session replay, you can watch Jason Riley and Jeff Wiedemann share the many awesome best practices they've amassed for designing key performance indicators (KPIs), services, episodes, and machine learning to maximize end-user experience and insights. Whether you're new or experienced, you'll come away with tactical guidance you can use right away.

You might also be interested in the following Splunk resources: