Splunk search for ITSI Services Not Reporting Data
Copy
| inputlookup service_kpi_lookup | fields _key title | rename _key as itsi_service_id | search [ search earliest=-7d latest=now index=itsi_summary itsi_kpi_id!=SHKPI* | stats values(alert_value) as alert_value by itsi_service_id | eval alert_value=mvjoin(alert_value,",") | search alert_value=N/A | fields itsi_service_id ]
This search will return all ITSI services that haven't reported any data within the past 7 days. This search will only return services that have KPIs associated with them. If used in a correlation search this can be useful to notifying you about services that are either experiencing a problem or that no longer exist.
