Skip to main content
Splunk Lantern

Prescriptive Adoption Motion - Business Service Insights


Customers today expect always-on and reliable digital services. But achieving effective service-driven monitoring is a critical challenge for many organizations. Defining and proactively monitoring the most crucial Service Level Objectives (SLOs), Key Performance Indicators (KPIs), and metrics is vital to ensure that critical service problems are identified and remediated quickly. This requires alignment between IT Ops teams, engineering teams, and other types of business stakeholders.

Traditional IT monitoring tools often lack comprehensive visibility into commercial off-the-shelf (COTS) applications and other essential services, such as ERP, warehouse, inventory, and supply chain management systems. As a result, tool sprawl becomes an issue, leading to increased costs and a lack of centralized data visibility. This makes it harder to identify relationships between applications and infrastructure, understand their impact on services, and align effectively with business priorities.

Splunk ITSI solves these problems by providing a premium analytics solution for managing and monitoring digital services.

Aim and strategy

Splunk customers who have deployed business service insights in Splunk ITSI have helped IT Ops and business teams align and modernize their monitoring approach from a domain-focused (app and infrastructure respectively) to a service-driven strategy. This provides several benefits:

  • A single live view of relevant IT and business service data. The Splunk platform and Splunk ITSI provide out-of-the-box, easily customizable knowledge objects, searches and dashboards with a live view of business service performance relevant to both IT and business leaders. With glass tables in Splunk ITSI, you see the real-time health of business SLAs and SLOs and connect that health back to the underlying services, KPIs, and entities that support them. These include COTS applications, as well as warehouse, inventory, and supply chain management systems.
  • See the health of services/entities and easily troubleshoot. Service Analyzer within Splunk ITSI lets teams view both the current health of their services, the overall service and infrastructure components, and how they’re connected. When something goes wrong, a troubleshooting starting point can quickly be identified, as well as what to do next. Teams can identify the specific KPIs that are causing an issue, view and investigate relevant episodes for the service, and easily conduct deep dives. 
  • Identify key areas for improvement and track progress. Quickly view the performance health that operations centers care about with out-of-the-box analytics and reporting in Splunk ITSI. Foster continuous improvement by quickly and easily identifying key areas for improvement, like MTTD (mean time to detect), MTTR (mean time to resolve), and alert prioritization to reduce noise. Then, track and report on progress. Splunk ITSI supports continuous improvement through reporting and analytics so teams can ensure the operations center, and therefore the business, is running as efficiently as possible.

Common use cases

  • Service monitoring to align IT with the line of business
  • Proactive incident prevention

User roles

Role Responsibilities

Business Executives

Use Glass Tables to monitor critical business services that impact business performance.

Service Owners

Monitor the performance of applications that support business processes and services.

Investigate root causes of problems and maintain availability of services. 

Lines of Business Teams 

Support business executives with operational dashboards and reports.

Manage business impact or external stakeholder experience that results from delivery of services. This includes understanding product releases and conducting A/B testing.

IT Operations/NOC Analyst

Use Episode Review, Service Analyzer, and Deep Dives to prioritize, investigate, and troubleshoot issues.

Provide a holistic view of shared infrastructure that may impact multiple lines of business.

Splunk ITSI Admin

Onboard data, deploy relevant content packs, create services, add entity rules, add technical & business KPIs, add service dependencies, configure deep dives, and configure machine learning capabilities to meet business requirements. 

Perform ongoing administration (configure new users, roles, and manage teams) and maintenance (upgrades, scheduled maintenance downtime, and backup and restore Splunk ITSI KV store data). 


1. Prerequisites

Start with a problem worth solving.

Splunk ITSI can be used to model practically any service. However, ITSI is more effective when applied to:

  • High-value/visibility services with significant impact to the business, such as services that affect revenue, customer satisfaction, SLAs, and similar 
  • Services with quantifiable downtime consequences (for example, cost per minute of downtime) 
  • Services centered around P1 and P2 incidents 
  • Services that fail often and result in war rooms
  • Services that have recurring outages  
  • Shared services that impact multiple business areas

2.0 Recommended training

Splunk ITSI users

Splunk ITSI administrators

Splunk Enterprise administrators

Splunk Cloud Platform administrators

3.0 Resources

Keep these things as mind as you plan your business service insights use case: 

  • Modify deep dives to make visualizations more meaningful. To understand their impact, add some business KPIs.
  • Deep dives allows you to bring together multiple data sources into a single visualization, for example metrics, business and technical KPIs brought together with raw event data. The correlation of data streams enables quick identification of root cause and the effect on the business.  
  • Leverage machine and human-influenced learning in ITSI to eliminate event noise and create proactive alerts for services issues. Predictive analytics for proactive incident prevention works best when a service has 5+ good KPIs and 1+ week of historical data. 
  • Visualize meaningful and contextual maps across service delivery components with glass tables.

Implementation guide

Your Splunk ITSI implementation should be split into a number of different phases:

1. Design and requirements gathering phase

In this phase, you'll validate your use case and ensure you understand objectives and expectations through conducting a Service Decomposition session. The session will help you understand:

  • What is the service to be monitored?
  • What are the components of the service?
  • What are the dependencies to each service?
  • What are the metrics/what do you care about?
  • What are the KPIs (business & technical) per service?
  • Identify data sources for each KPI

Some best practices for identifying KPIs and service metrics that need to be measured include:

  • Fewer services/KPIs that are well implemented are better than more services/KPIs that have not been tuned.
  • Creating KPIs is iterative. You should add extra KPIs after P1/P2 reviews.
  • Start with technical KPIs that are pre-built from relevant Content Packs.
  • Identify 3-4 meaningful business-level KPIs for your executives and business users.
    • Consider metrics like revenue per minute, number of checkouts, number of customer care calls, and customer sentiment. These tend to be more aggregate scores.
  • It's best to see 3 or 4 meaningful business-level KPIs than 15 or 20 noisy technical KPIs.
  • KPIs from the metric index can be 1500% faster.

To have a productive and successful Service Decomposition session, ensure you have:

  • At least 6 months of experience with Splunk Enterprise or Splunk Cloud Platform. Refer to the Recommended training section for a suggested training curriculum.
  • Proper representation from application service owners (business sponsor of a service and IT executive sponsor), application architects, operations domain experts, and Splunk administrators.
  • Identification of some of the business critical services. Each industry has key services, for example:
    • Retail. Order processing and consumer experience
    • Financial services and insurance. Trade processing and online loan approvals
    • Healthcare. Claims processing and patient experience
    • Telecommunications, media, and technology. Order-to-activation and contact center analytics
    • Public sector and education. Digital classrooms and student experience
    • Manufacturing. Supply chain optimization and service experience

You can review the .conf session ITO1387B - Explode your Splunk ITSI footprint: Automate your service decomps! to learn how to automate your service decompositions.  

2. Getting Data In phase

In this phase, you'll onboard data and install relevant ITSI Content Packs such as the Content Pack for ITSI Monitoring and Alerting.

3. Configuration phase

The bulk of the work takes place in this phase, which consists of all the implementation and deployment tasks and activities.

Success measurement

When implementing the guidance in this adoption guide, you should see improvements in the following: 

  • Protect performance and availability: reduce unplanned downtime by more than 60%
  • Efficient IT operations and management: reduce alert noise & MTTR by more than 90%
  • End-to-end service visibility: prevent service degradations 30 minutes in advance, and reduce total incidents by more than 40%
  • Improved service delivery
  • Greater customer satisfaction
  • Service-centric health reporting
  • Advanced analytics to detect patterns, anomalies and trends