ITSI Normalization
The following table describes field and field definitions in support of Universal Alerting in ITSI. See the details About the Content Pack for Monitoring and Alerting in Splunk ITSI Content Packs.
The key for using the column titled "Abbreviated list of example values" follows. It is relevant for TA developers and ITSI implementors such as customers, SEs, and PSEs:
- Required: Required Fields must be included.
- Recommended: Recommended Fields are helpful, but the Universal Correlation Search does not require them.
- Optional: Optional Fields are available for more advanced integrations, such as providing drilldowns.
Field name | Data type | Description | Abbreviated list of example values |
---|---|---|---|
app |
string | The system, service, or application that generated the alert event. Examples include "Nagios Host", "Solarwinds", "Splunk Infra Mon". | recommended for ITSI |
description |
string | The description of the alert event. Adds more detail to the signature field. |
recommended for ITSI |
entity_name |
string | Used for the 'Entity Lookup Field' in the Universal Correlation Search. Default is <src> . |
optional for ITSI |
itsiDrilldownSearch |
string | SPL to drill down into the details of this alert. Default is "index=* signature="<signature>" src="<src>" . |
optional for ITSI |
itsiDrilldownURI |
string | External link for this alert, such as "https://bakookanet.com/alerts&alertid=1234567". | optional for ITSI |
itsiDrilldownWeb |
string | Optional Name for the link included in itsiDrilldownURI . Default is "External Drilldown for <itsiNotableTitle>" |
optional for ITSI |
itsiInclude |
string | Boolean indicating whether this alert is automatically brought into ITSI as a Notable Event. If absent, ITSI assumes itsiInclude="true" . If itsiInclude="false" , ITSI does not onboard the alert. This is useful for testing or for specifically selecting which raw alerts to onboard as Notable Events. |
recommended for ITSI |
itsi_instruction |
string | Text or markdown instructions for a human on how to handle this type of alert; can handle a link if encoded as markdown. See https://www.markdownguide.org. | optional for ITSI |
itsiNotableTitle |
string | Specifies which fields the Notable Event Title includes. Default is "<signature> - <src> (<subcomponent>)" . |
optional for ITSI |
severity_id |
string | The numeric or vendor-specific severity indicator corresponding to the event severity.
For ITSI, |
required for ITSI |
signature |
string | The human-friendly title of the alert event, such as 'Device Not Responding,' 'Disk Full,' or 'CPU usage too high.' | required for ITSI |
src |
string | The object that is the target, host, or object of the alert event. You can alias this field from existing fields such as src_host , src_ip , or src_name . |
required for ITSI |
subcomponent |
string | Sub-component object for this alert. Further defines the src field.
For example, for a "Filesystem Full" alert on "server42" for "/var":
Most alerts will not have a sub-component object. However, if the alert does contain a sub-component object, you must include this field. |
recommended for ITSI |
vendor_severity |
string | The original vendor-specific severity/health/status string for this alert, such as up/down/ok/normal/critical/warning/red/green/minor/major. | required by ITSI |
Network Traffic Field Mapping |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.19.0, 4.20.0, 4.20.2
Feedback submitted, thanks!