IT Service Intelligence Hands On

1. Copyright © 2015 Splunk Inc.
Splunk IT Service
Intelligence –
The Hands On Version
Nate Smalley

2. Where to get the Hand Out?
2
https://splunk.box.com/splunkliveitsi16

3. Log in to Splunk
1. Meet your partner in ITSI for the next
hour
(the individual to you left or right
2. Following instructions on attached paper
please log in as User1 OR User2
3. Don’t worry we will come back to the
Service Analyzer Later (Promise!!!)
4. Please Click Glass Table
Click Glass Table

4. Glass Table Decom Refresher
4
CLICK
“Buttercup Games
Business Process”
QUICK REFRESHER:
Business Service Discussion
Click Service Health

5. Technology End To End
5

6. New Requirement for DB Service
6
● Create 2 KPIs –
● Storage Availability
● Database error count
● Create Glass Table
“WE only have about 15min
TO DO WHAT ???!!???”
Think about how long this
would take you today?

7. 7
Configuration of DB Service
● Select Configure >
● Click Services

8. Lets Talk Entities
8
● Select DB Service
● Entities are things
● Limit # with:
● And/Or
● Where do they come from?
CMDB?? Search??

9. KPI’s in 5 min? Storage
9
● Click New – Generic KPI
● Select Data Model
● Host Operating System
● Storage
● Storage_used_percent
● Next

10. Storage Continued….
10
Splunk Builds Searches for you –
Oh Yeah that’s happening 
● Select Yes For Both Options
● Entity Mapping
● Host <-> Host
● Click Next

11. Last Stop for Storage
11
● Every 5 Min (think *Nix TA)
● Avg / Max/ etc
● Look back time frame = 5min
● Next
● Add unit of Measure = %
● Next

12. Final Steps only a minute left
12
● Set your thresholds
● Aggregate (All)
● Per Entity
● We will Discuss Adaptive Thresholds
(machine learning and anomaly
detection in just a moment)…
● Finish

13. Adaptive What?
13
● Lets Name it!
● Database Host
Storage Used Percent
● Adaptive thresholding
● Aggregates
● Per Entity

14. Anomaly Who?
14
● Turn On
● Set Training Window
● Show then adjust Sensitivity
● Click enable Alerting

15. KPI’s in 5 min? Errors
15
● Click New – Generic KPI
● Ad hoc Search
● Sourcetype=mysqld ERROR
OR CRITICAL
● Threshold Field (what we count)
● Priority

16. Errors Continued….
16
● Select Yes For Both Options
● Entity Mapping
● Host <-> Host
● Click Next
Splunk Builds Searches for you –
Oh Yeah that’s happening 

17. Last Stop for Errors
17
● Every 1 Min
● Count
● Look back time frame = 5min
● Next
● Add unit of Measure = Ct
● Next

18. Final Steps only a minute left
18
● Set your thresholds
● Aggregate (All)
● Per Entity
● Finish

19. Lets Build a Glass Table
19
● Using 10 min - build a Glass
Table for Database Tier
● Click Save

20. Uh-huh Disk = Bad
20
● Notable Events
● Click Alert Critical –
Disk Full MySQL

21. Notable Event Review
21
● Actions –
● ServiceNow
● What Else
● Deep Dive??
● Open DB Service
Kpis in Deep Dive

22. Deep Dive
22
Topics:
● Focus
● Lane Types
● Add other KPI’s
● Compare to Yesterday

23. Review Topics
23
● Business Services comprised of Technology Micro
Services which contain entities
● Measuring of Key Performance Indicators through quick
creation, adaptive thresholding and anomaly detection
● Service Analyzer
● Notable Event Framework
● Deep Dive to See EVERYTHING

24. Copyright © 2015 Splunk Inc.
• September 26-29, 2016
• The Disney Swan and Dolphin, Orlando
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 3 days of Splunk University
• Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and
• Security Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control Room &
Clinic, and MORE!
.conf2016: The 7th Annual
Splunk Worldwide Users’ Conference

25. Thank You