Content Pack for ITSI Monitoring and Alerting

Content Pack for ITSI Monitoring and Alerting

This documentation does not apply to the most recent version of Content Pack for ITSI Monitoring and Alerting. For documentation on the most recent version, go to the latest release.

Release notes for the Content Pack for ITSI Monitoring and Alerting

Version 2.0.2 of the Content Pack for ITSI Monitoring and Alerting was released on October 28, 2021. The following sections describe the contents of the current release.

Version 2.0.2

New feature or enhancement Description
Updated the content pack name The Content Pack for Monitoring and Alerting was renamed to Content Pack for ITSI Monitoring and Alerting to eliminate confusion with the Content Pack for ITE Work Alert Routing.
New Episode Review objects New Episode Review objects have been added to Content Pack for ITSI Monitoring and Alerting v2.0.2 packaged in Splunk App for Content Packs v1.4.0. See the installation documentation to install these objects.
Fixed the Policy ID issue in NEAPs The value for the Policy ID in the NEAPs has been updated to point to the correct Notable Event Aggregation Policy in the content pack packaged in Splunk App for Content Packs.
Removal of the correlation search Correlation search Episode Monitoring - All Services and KPIs Return to Normal has been removed from the content pack.

Known issues

This version of the Content Pack for ITSI Monitoring and Alerting has the following reported known issues and workarounds. If no issues appear below, no issues have yet been reported.

Date filed Issue number Description
2021-10-18 ITSI-19299 Knowledge objects are duplicated when the Splunk App for Content Packs is installed along with Splunk Add-on for the Content Pack for ITSI Monitoring and Alerting.

Version 2.0.0

The following table describes the contents of BACKUP-CP-MA-2.0.0.zip:

New feature or enhancement Description
Aggregation policies The following aggregation policies:
  • Episodes by Alarm (new)
  • Episodes by Alert Group (changed)
  • Episodes by ITSI Service (changed)
  • Episodes by Src (new)
Universal Alerting correlation search The Universal Correlation Search onboards external alerts that adhere to the Universal Alerting Normalization Standard. For more information, see About Universal Alerting. Besides converting external alerts to notable events, the UCS also performs alarm state deduplication over the last hour of raw alerts, as well as backfill over the last hour to find "missed" alerts.
  • Universal Correlation Search (new)
Episode monitoring correlation searches The following searches that monitor the episodes in your environment:
  • All Services and KPIs Return to Normal (deprecated)
  • Concentration of High and Critical Notable Events added to Episode
  • Critical Notable Event added to Episode
  • Episode Risk Well Above Historical Average
  • First Time Seen Episode
  • Notable Event with Alert Attribute added to Episode
  • Set Episode to Highest Alarm Severity (new)
  • Sudden Spike in Newly Created Episodes
Service monitoring correlation searches The following searches that monitor the services and KPIs in your environment:
  • Degraded Service or KPI Returns to Normal
  • Entity Degraded
  • Entity for KPI with Highest (11) Importance Degraded
  • KPI Degraded
  • Rarely Degraded Service or KPI
  • Service Health Degraded
  • Sustained Entity Degradation
  • Sustained KPI Degradation
  • Sustained Service Health Degradation
Sample services The following sample services:
  • ITSI Monitoring
  • ITSI Monitoring - Framework Health
  • ITSI Monitoring - ITSI Summary
  • ITSI Monitoring - Notables and Episodes
Saved searches The following saved searches:
  • ITSI Episode Contact Map Generator
  • ITSI Historical Episode Risk Levels Generator
  • ITSI KPI Attributes Lookup Generator
Automatic lookups The following automatic lookups:
  • itsi_kpi_attributes
  • itsi_episode_contact_by_alert_group
Dashboards The following dashboards:
  • ITSI Episode Analysis
  • ITSI Service and KPI Severity Analytics
  • ITSI Service and KPI Threshold Analytics
Saved Episode Review views The following saved Episode Review dashboards:
  • Episodes - All (new)
  • Episodes - New untriaged (new)
  • Episodes - Open (new)
  • Episodes - Adjusted by Episode Monitor
  • Episodes by Alert Group: All Open (removed)
  • Episodes by Alert Group: All Open with Alert (removed)
  • Episodes by Alert Group: All Open and Closed with Alert (removed)

Significant and non-passive changes

This version of the content pack contains some significant and non-passive changes from prior versions.

Episode monitoring correlation searches

  • Alert suppression logic has been non-passively changed. When multiple episode monitoring correlation searches are enabled, you receive one notable event for each enabled episode monitoring alert, which triggers on the episode. In previous versions of the content pack, the episode would receive only one episode monitoring alert, which was the first detection that triggered. For more information on this behavior, see Alert action throttling and configuration.

Service monitoring correlation searches

  • Most correlation search logic has been moved to a macro for readability and reuse. A new macro add_universal_alert_fields_to_notable contains most of the logic to create fields on a service monitoring notable event. This macro increases correlation search readability and allows you to modify common notable event fields centrally, in the rare instance when you must modify macro logic. The macro also contains extensive inline documentation for readibility.
  • Notable event identifier fields have been updated. The notable event identifier fields for service monitoring notables has been changed to a stronger naming convention and has moved to the macro add_itsi_service_monitoring_ne_identifier_string to allow customization. For more information, see Episode timeline event type configuration.

Universal Alerting correlation search

This version of the content pack contains a new Universal correlation search to capture and process raw external alerts from monitoring sources such as Nagios or Solarwinds, which are normalized using the Universal Alerting Field Standard. For more information, see About Universal Alerting

Saved episode views

  • Four new episode views are included to support episode management workflows.
  • The views "Episode by Alert Group" are replaced by the new episode views.

Aggregation policies

The following changes apply to all of the aggregation policies shipped in the content pack.

  • Episode title change: The episode title uses stronger naming conventions. This change affects any logic i the content pack that uses episode title to correlate current episodes with historical ones, such as the "Episode Monitoring - Episode Risk Well Above Historical Average" correlation search.
  • Episode severity change: The episode severity updates to reflect the severity of the most recent notable event in the episode. This change produces more accurate episode severity levels when you use it in conjunction with the new "Episode Monitoring - Set Episode to Highest Alarm Severity" correlation search.
  • Episode breaking change: In the previous version of the content pack, episodes were configured to forcibly break after existing for 24 hours. In this release, episodes break when they receive no new activity in 8 hours, or if the episode severity returns to normal when using the "Episode Monitoring - Set Episode to Highest Alarm Severity" correlation search.
Last modified on 09 December, 2021
About the Content Pack for ITSI Monitoring and Alerting   Install and configure the Content Pack for ITSI Monitoring and Alerting

This documentation applies to the following versions of Content Pack for ITSI Monitoring and Alerting: 2.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters