Splunk® IT Service Intelligence

Administration Manual

This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

notable_event_correlation.conf

The following are the spec and example files for notable_event_correlation.conf.

notable_event_correlation.conf.spec

# This file contains attributes and values that ITSI Smart Mode uses to correlate
# notable events.
#
# There is a notable_event_correlation.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/.
# To set custom configurations, place a notable_event_correlation.conf in
# $SPLUNK_HOME/etc/apps/SA-ITOA/local. You must restart Splunk software to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles

GLOBAL SETTINGS


# Use the [default] stanza to define any global settings.
#  * You can also define global settings outside of any stanza, at the top
#    of the file.
#  * Each .conf file should have at most one default stanza. If there are
#    multiple default stanzas, attributes are combined. In the case of
#    multiple definitions of the same attribute, the last definition in the
#    file wins.
#  * If an attribute is defined at both the global level and in a specific
#    stanza, the value in the specific stanza takes precedence.

[<smart_mode_correlation_engine>]

* The settings under this stanza determine how ITSI Smart Mode analyzes notable
  event fields to determine whether they contain textual or categorical content.
* Smart Mode uses machine learning to compare event field values and group
  events that are related to each other.
* CAUTION: This configuration file does not support adding any additional stanzas.
  Do not add, remove, or change any of the settings or stanzas in this file unless
  specifically instructed to by a Splunk support specialist.

BLACKLIST FIELDS


black_list_fields = <comma-separated list>
* A list of field names in a notable event whose values to discard
  from consideration for Smart Mode event correlation.

TEXTUAL FIELDS


text_field_names = <comma-separated list>
* A list of field names in a notable event that usually
  represent textual content.
* A text field is a data structure that holds alphanumeric data,
  such as name and address.
* Defaults: comment,description,summoary,review,message

ignore_fields_that_contain = <comma-separated list>
* A list of field names to implicitly ignore because they are not useful
  for event correlation.
* ITSI ignores field names that contain any of the words in this list.
* For example, with the default "time", ITSI ignores fields that represent
  time, like alert_triggertime, alerttriggertime, lasttimeup, etc.
* Default: time

threshold_event_coverage_perc = <int>
* A threshold value for considering a notable event field
  as a text field.
* If the count (total number of occurrences) of a field divided by
  the total number of events processed in the time frame is less
  than the percentage specified in 'threshold_event_coverage_perc',
  then the notable event field is a text field.
* Default: 10

CATEGORICAL FIELDS


threshold_distinct_value_perc = <int>
* A threshold value for considering a notable event field
  as a categorical field.
* If the distinct_count (count of distinct values) of a field
  divided by the count (total number of occurrences) of the field is
  less than the percentage specified, then the notable event field
  is a categorical field.
* Categorical fields have a distinct value, such as a status field,
  as opposed to textual data, descriptions, numerical values, and comments.
* If this setting determines that a field is NOT a categorical field, ITSI uses
  the two settings below ('min_distinct_value_perc' and 'max_count_perc')
  in a second calculation to check whether the field is a categorical field.
* Default: 35

min_distinct_value_perc = <int>
* Helps confirm whether a notable event field is a categorical field.
* Sets the minimum distinctive value percentage that a notable event field must
  be to be considered a categorical field.
* If the cumulative sum of 'min_distinct_value_perc' of distinct_count (count
  of unique values) of a field is at least 'max_count_perc' of the count
  (total number of occurrences) of the field, then the notable event field is
  considered a categorical field.
* For example, consider the following field:value pairs:
  {field:value1 count:34},{field:value2 count:31}, {field:value3 count:5},
  {field:value4 count:5} , ..., {field:value18 count:1} {field:value19 count:1},
  {field:value20 count:1}
  There are 20 different values listed for this field, so distinct_count = 20.
  ITSI sums the counts of all the values, so count = 80.
  80% of count = 64
  10% of distinct_count = 2, so you add the counts of the first two values above (34 + 31).
  {field:value1 count:34} + {field:value2 count:31} = 34 + 31 = 65 > 64
  Because 65 is at least 64, "field" is a categorical field.
* Default: 10

max_count_perc = <int>
* Helps confirm whether a notable event field is a categorical field.
* Sets the maximum count percentage that a notable event field must
  be to be considered a categorical field.
* If the cumulative sum of 'min_distinct_value_perc' of distinct_count (count
  of unique values) of a field is at least 'max_count_perc' of the count
  (total number of occurrences) of the field, then the notable event field is
  considered a categorical field.
* See the example for the 'min_distinct_value_perc' setting to understand
  how this setting works.
* Default: 80

notable_event_correlation.conf.example

No example
Last modified on 28 April, 2023
notable_event_commonality.conf   props.conf

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.16.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters