ITSI converts your underutilized Splunk data into powerful KPIs and visibility, once you master its complexities
December 19, 2020

ITSI converts your underutilized Splunk data into powerful KPIs and visibility, once you master its complexities

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk IT Service Intelligence (ITSI)

ITSI is used by our business unit in order to provide operational visibility into all our Splunk data. Splunk does a great job of aggregating data into a single searchable dataset, but Splunk Enterprise alerts are disjointed from one another and there are too many metrics we would need to alert on in Splunk Enterprise to be manageable. ITSI provides a framework to define the IT services that matter to you, such as the health of a server, an application, or a client, constantly monitor the KPIs that make up the health of that IT service, and organize all of so that is it operationally easy to view the health of all services yet easy to drill down to a specific server or process experiencing a problem.
  • Monitor hundreds of IT services by continuously tracking thousands of KPIs in a scalable way.
  • Quickly identify problem areas by a combination of default visualizations and ability to create custom dashboards.
  • Extremely configurable to effectively monitor nearly any KPI imaginable from Splunk.
  • The extreme flexibility also makes it highly complex. Expert Splunk users are required to make full use of it.
  • Documentation is insufficient and does not cover advanced use cases that ITSI is capable of supporting.
  • Depending on how ITSI is configured, it can place heavy load on Splunk infrastructure. ITSI performance can be optimized in many ways but they are not always obvious.
  • ITSI Events/Alerts (AKA Episode Review) has flexibility in it but still not as flexible as desired. However this can be compensated by directly querying ITSI's result data in Splunk.
  • ITSI enabled the rollout of KPIs to improve both the breadth and depth of coverage to ultimately reduce MTTR by detecting issues faster and their root cause.
  • Moving from "eyes on glass" monitoring of dashboards to 100% automated alerting allowed a reduction in the number of operators required per shift.
  • Simplifying the role of an operations staff member from constant analysis of dashboard data to simply receiving an alert for triage reduced the amount of training required for new staff.
ITSI stands alone as a tool for converting Splunk data into constantly monitored and organized KPIs. The alternative is manual creation and management of Splunk Enterprise alerts. That solution is not scalable to thousands of Splunk alerts. If you are building a monitoring solution from scratch, APM solutions like App Dynamics or Dynatrace might be applicable tools for certain situations. However, if you are already invested in Splunk and are looking to unlock the value of the data already in Splunk, I'm not aware of alternatives.
ITSI is the obvious tool for a scaled solution to continuously monitoring thousands of KPIs buried in Splunk. Any IT service question you might ask Splunk such as "Is traffic dropping to one of my data centers?" or "Are all my critical processes running?" or "Is traffic balanced across my web farm?" can be implemented in ITSI. However, all that flexibility comes at the cost of complexity. ITSI is easy for a consumer to use but not easy to learn how to administer. Simple use cases are not overly difficult to implement but it takes a combination of Splunk query expertise and patience to learn ITSI. Once mastered though, you gain unbelievable operational awareness into the critical KPIs hiding in your Splunk data.