Skip to main content

 

Splunk Lantern

Understanding the less exposed elements of ITSI

 

ITSI has a number of commands that can make your administrative life easier, but that’s not all. ITSI has ‘hidden’ fields that are not displayed in search results. These are very useful for many situations!

This article is part of the Definitive Guide to Best Practices for IT Service Intelligence. ITSI administrators will benefit from adopting this practice as they work on Service Insights.

Solution

Splunk ITSI is not a standalone app; it is a collection of apps. When looking at all the configuration files, you might think that most functionality is found in /itsi/default. However, this is not the case. Some highly useful functions are available in /SA-ITOA.

Macros

There is a large collection of macros that come shipped with ITSI. Many of these macros are situational, used to troubleshoot or look into issues with a service or KPI. Others help you run investigations. In particular, you might find the following useful:

  • filter_maintenance_entities
  • filter_maintenance_services(1)
  • get_all_kpis_status
  • service_kpi_list
  • Any of the index macros, which you can adjust to help search performance

Here are sample investigation results that you might get from using the service_kpi_list macro. This macro provides a wealth of useful information regarding the KPIs in this environment.

clipboard_e50e52d4deae5c9aa52f28cd3e14d1d38.png

Lookups

The SA-ITOA app also includes a number of built-in lookups.

If you are using the Splunk App for Lookup File Editing, SA-ITOA will be listed as ITOA Backend in the dropdown menu.

A few most useful lookups for getting information about your environment are:

  • itsi_backfill
  • itsi_services
  • itsi_refresh_queue
  • maintenance_calendar
  • itsi_entity_filter_rules
  • service_kpi_lookup

Here is an example of how you might use the itsi_entity_filter_rules lookup. The lookup shows the globally unique identifier (GUID) for entity rules, shown below in the _key field. This isn’t displayed by default but is really useful for lookups and | rest results.

clipboard_ed9e7edfc1a86b76e783db7ab623378c7.png

When you add that _key field to your search, you pull up useful context that would otherwise be hidden, as shown in the search below.

clipboard_e72f4ce9aed495ce3a9d2257249040c0c.png

Next steps

This content comes from Splunk .Conf presentation, The Definitive List of Best Practices for Splunk® IT Service Intelligence: How to Configure, Administer, and Use ITSI for Optimal Results, part one presented in .Conf23 and part two presented in .Conf24 session. In the session replays, you can watch Jason Riley and Jeff Wiedemann share the many awesome best practices they've amassed for designing key performance indicators (KPIs), services, episodes, and machine learning to maximize end-user experience and insights. Whether you're new or experienced, you'll come away with tactical guidance you can use right away.

You might also be interested in the following Splunk resources: