Services & KPIs • Room 2

KPIs & Base Searches

A KPI (Key Performance Indicator) is a metric that measures a specific aspect of a service. Examples include response time, error rate, CPU utilization, or transaction volume. Each KPI is backed by a Base Search — a scheduled Splunk search that computes the KPI value.

Base searches are critical for performance. Multiple KPIs can share the same base search to reduce load. For example, one base search might calculate both average response time and error count from the same web server logs. ITSI calls this "shared base searches" and it is a key optimization technique.

Always try to consolidate KPIs onto shared base searches. Running 50 individual searches when 10 shared ones would suffice wastes search head resources.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Complete the sentence about ITSI performance optimization:

Multiple KPIs can be consolidated onto a shared to reduce the number of scheduled searches running on the search head.