What is Splunk IT Service Intelligence (ITSI)?

Splunk IT Service Intelligence (ITSI) is a premium application available for both Splunk Cloud and on-premise environments. It provides real-time visibility into the health of critical IT and business services, helping organisations detect issues, reduce downtime, and optimise service delivery. ITSI enables users to correlate performance metrics (KPIs), monitor services through advanced dashboards and visualisations, and connect to ITSM tools like ServiceNow to manage incidents seamlessly.

Key Concepts of Splunk ITSI

Services and KPIs

• Services can be categorised as technical (e.g. firewalls, databases) or business-focused (e.g. customer satisfaction, document processing).
• Each service has a Health Score (0–100), calculated from underlying KPIs.
• KPIs (Key Performance Indicators) include metrics such as CPU usage, latency, or transaction volume.
• KPIs can be weighted to influence overall service health depending on their importance.

Entities and Adaptive Thresholding

• Entities represent the individual components (like servers or hosts) that contribute to KPI values.
• ITSI supports adaptive thresholds that automatically adjust based on time or conditions (e.g. busier periods like Black Friday).
• Anomaly detection uses machine learning to highlight unexpected patterns in performance.

Service Trees and Visualisation

- Service trees illustrate how high-level services (e.g. a customer portal) depend on multiple technical components.
• Views include trees, tiles, and glass tables for high-level, real-time visibility.
• Glass tables are fully customisable dashboards that display live service data in a user-defined layout.

Demo Highlights

Service Analyzer

The Service Analyzer offers a dynamic, interactive overview of all services. It supports filtering, time-based analysis, and customised views. Analysts can drill down into specific services to inspect individual KPIs, identify trends, and pinpoint issues at the entity level.

Deep Dives

• Deep Dives enable analysts to visually explore KPI behaviour over time.
• Events and anomalies can be overlaid to correlate issues with incidents.
• Users can zoom into specific time periods and save deep dive views for repeated use.

Episodes and Alert Reduction

ITSI introduces the concept of "episodes" to group related alerts.
• Alert noise is reduced through aggregation policies, transforming hundreds of events into a handful of meaningful episodes.
• Each episode displays impacted services, a timeline of alerts, and allows integration with tools like ServiceNow.
• Analysts can assign, comment, and close episodes, keeping incident response streamlined and auditable.

Automation and Integration

• Actions can be triggered automatically or manually, including playbooks, scripts, and webhooks.
• ITSI integrates directly with Splunk SOAR, enabling enriched response workflows.
• Analysts can choose to create service tickets, notify stakeholders, or run automation based on KPI anomalies.