Content Pack for ITSI Monitoring and Alerting

Content Pack for ITSI Monitoring and Alerting

This documentation does not apply to the most recent version of Content Pack for ITSI Monitoring and Alerting. For documentation on the most recent version, go to the latest release.

Release notes for the Content Pack for ITSI Monitoring and Alerting

Version 2.1.0 of the Content Pack for ITSI Monitoring and Alerting was released on August 31, 2022. The following sections describe the contents of this version.

New features

New features of the Content Pack for ITSI Monitoring and Alerting include the following:

New feature or enhancement Description
Alert and Episode monitoring services Two new services have been added: ITSI Alert Analytics and ITSI Episode Analytics, monitoring incoming alert and episode volumes for alert storms, long term trending and greater visibility. Includes new KPIs, Service Analyzer, and service templates.
Alert and Episode storm detection capabilities Based on historical volume trends, Alert and Episode Storms can be detected and analyzed to determine severity, relevance and probable cause. Includes a new Notable Event Aggregation Policy and Saved Episode View.
Event and Incident Operations Posture dashboard Describes overall alert and episode handling trends such as What is the Mean Time to Respond (MTTR) and Mean Time to Acknowledge (MTTA), over time? And which services, alert groups, devices and alert signatures have been the noisiest?
Correlation search prefixing is now supported In prior versions of the content pack, cloned Service Monitoring and Episode Monitoring correlation searches could not be prefixed without breaking certain functionality. This issue has now been addressed. However, because of the complexity in the grouping rules, it is still recommended that you do not clone the Aggregation Policies shipped in this Content Pack.
The ITSI KPI Attributes Lookup Generator search now supports more logical default alert_group values By default, new KPIs inherit the alert_group value of the service instead of using the service name. In other words, if an alert_group value is set on the service health score row of the itsi_kpi_attributes lookup, the generator search will use that alert_group value for any newly-discovered KPIs within that service.
Correlation searches now support the itsiInclude field to explicitly disable Service Monitoring The ITSI KPI Attributes Lookup Generator search and Service Monitoring correlation searches now supports the itsiInclude field to explicitly disable Service Monitoring for services and KPIs where itsiInclude=false. This can be useful for services and KPIs that are configured with alternate alerting methods such as KPI Alerting or Multi-KPI alerts.
New macro: filter_itsi_include_is_false This object in the DA-ITSI-CP-monitoring-alerting/local/macros.conf file determines whether to include an alert based on the itsiInclude field.
For more information, see Enable or disable service monitoring for certain services and KPIs.

Fixed issues

This version of the Content Pack for ITSI Monitoring and Alerting has these reported fixed issues. If no fixed issues are listed in the following table, no issues have been reported.

Issue Description
Dashboard performance improvements The ITSI Service and KPI Severity Analytics dashboard and ITSI Service and KPI Threshold Analytics dashboard have been refactored for better performance and usability. These dashboards no longer depend on the itsi_kpi_attributes lookup to resolve service and KPI IDs to service and KPI names.
Knowledge objects / searches now use macros to specify indexes All occurrences of hard-coded indexes in knowledge objects have been replaced with macros for better usability and flexibility. Users can update the macro index if required to use their customized index..
Universal Correlation Search (UCS) performance improvements The Universal Correlation Search has been refactored for better performance.
The Episode Monitoring correlation search, Set Episode to Highest Alarm Severity, now works with pseudo entities Previously when using pseudo entities with ITSI services, event grouping did not work with the correlation search, Set Episode to Highest Alarm Severity because it would clear the serviceid field after running. This has now been resolved.
Performance and scaling improvements for the saved search, itsi_entity_name_normalizer This saved search ensures that all entities have a normalized 'entity_name' alias, but would fail if the total number of entities was greater than 50,000. It now can scale beyond 50,000 entities, and performs more efficiently.
Bug fixes for Saved Episode Views When used, the Episode Views would cause the 'Count' column in Alerts and Episodes to disappear. This issue affected four Episode Views: Episodes - All, Episodes - Adjusted by Episode Monitor, Episodes - New (untriaged), and Episodes - Open. This has now been resolved.
The example service tree "ITSI Monitoring" has been removed This service tree was created for demonstration purposes only and created more confusion than benefit. To test or demonstrate the functionality of the content pack with a real world service tree, it is recommended that you install the Monitoring Splunk as a Service content pack.
Fixed intermittent duplication of Episode Monitoring notable events The Episode Monitoring correlation searches use alert throttling functionality to prevent duplicate alerts from being created; however these searches were configured to throttle on an invalid itsi_tracked_alerts field which could result in duplicate Episode Monitoring alerts.

Known issues

This version of the Content Pack for ITSI Monitoring and Alerting has the following reported known issues and workarounds. If no issues appear below, no issues have yet been reported.

Last modified on 30 August, 2022
About the Content Pack for ITSI Monitoring and Alerting   Install and configure the Content Pack for ITSI Monitoring and Alerting

This documentation applies to the following versions of Content Pack for ITSI Monitoring and Alerting: 2.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters