Professional Documents
Culture Documents
Forward- During the course of this presentation, we may make forward-looking statements regarding
future events or plans of the company. We caution you that such statements reflect our
Looking current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this
Statements presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward-looking statements made herein.
In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.
Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk
Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names, or trademarks belong to their
respective owners. © 2019 Splunk Inc. All rights reserved.
© 2019 SPLUNK INC.
About Peter
20 years in Financial Technology industry
Software Developer/Manager 15 years
Perfect for anytime the list of entities is dynamic and you don’t know what the complete list
of entities will be
© 2019 SPLUNK INC.
• There isn’t a constraint on what kinds of Splunk queries can become an ITSI KPI
• Feel free to use stats, eventstats, lookups, bin, etc. for complex queries
host=blue* sourcetype=iis
| stats count as RequestVolume by host
| eventstats mean(RequestVolume) as client_mean
| eval PercentVariance=round(((abs(RequestVolume-client_mean)/client_mean)*100), 0)
© 2019 SPLUNK INC.
host=blue* sourcetype=iis
| stats count as RequestVolume by host
| eventstats mean(RequestVolume) as client_mean
| eval PercentVariance=round(((abs(RequestVolume-client_mean)/client_mean)*100), 0)
© 2019 SPLUNK INC.
host=blue* sourcetype=iis
NOT [| inputlookup Filtered_ip.csv | format]
| stats count as RequestVolume by host
| eventstats mean(RequestVolume) as client_mean
| eval PercentVariance=round(((abs(RequestVolume-client_mean)/client_mean)*100), 0)
© 2019 SPLUNK INC.
Can be enhanced to support more servers and converted into base searches like this…
host=* sourcetype=iis
| stats count as RequestVolume by host
| eval TierName=substr(host,1,len(host) - 2 )
| eventstats mean(RequestVolume) as client_mean by TierName
| eval PercentVariance=round(((abs(RequestVolume-client_mean)/client_mean)*100), 0)
© 2019 SPLUNK INC.
host=* sourcetype=iis
| stats count as RequestVolume by host
| eval TierName=substr(host,1,len(host) - 2 )
| eventstats mean(RequestVolume) as client_mean by TierName
| eval PercentVariance=round(((abs(RequestVolume-client_mean)/client_mean)*100), 0)
© 2019 SPLUNK INC.
Service Templates
• ITSI feature that allows services that have similar KPIs to “inherit” from a template
• Templates can be updated in one place and updates can optionally be pushed to all
services that inherit from the template
• Use cases include multiple services that all represent web servers, database servers,
application instances, firewalls, load balances, clients, etc.
© 2019 SPLUNK INC.
Entity Configuration
© 2019 SPLUNK INC.
Custom Alerting
© 2019 SPLUNK INC.
Custom Alerting
• If you want 100% control over alerting logic and display logic, you can implement your
own alerts
• ITSI’s KPI and service health results are all searchable in Splunk!
• Implement a Splunk Enterprise alert against the ITSI data
• ITSI data contains:
– Service ID (Built in lookups available to map to service name)
– KPI name
– KPI value for each entity and the aggregate
– KPI state (i.e. normal, low, medium, high, etc.)
– And much more
© 2019 SPLUNK INC.
is_service_aggregate=0,
© 2019 SPLUNK INC.
Email Results
Email Results
© 2019 SPLUNK INC.
Alerting by Product
It’s silly but…
Possibilities…
• ITSI doesn’t limit what you can do with your Splunk queries
• Make the most out of entities, especially when they are dynamic
• You can both improve performance and reduce maintenance effort by use of base
searches and service templates
• Custom alerts can be created to support whatever your alert and incident policies and
procedures are
© 2019 SPLUNK INC.
Thank
You!
Go to the .conf19 mobile app to
Appendix
© 2019 SPLUNK INC.