Troubleshoot the Content Pack for ITSI Monitoring and Alerting

Follow these troubleshooting tips for the Content Pack for ITSI Monitoring and Alerting if you are experiencing errors or it is otherwise not working as you expect.

Notable Event Aggregation Policy (NEAP) isn't working as expected

Problem

The filter criteria for the below Notable Event Aggregation Policies (NEAP) isn't working as expected:

• Episodes by Alarm
• Episodes by Alert Group
• Episodes by ITSI Service
• Episodes by Src

Cause

The definition of the NEAPs use this filter criteria:

"config": {
    "field": "itsi_policy_id",
    "operator": "=",
    "value": "<uuid>"
}

In previous versions of the content pack the uuid was hard coded. Ideally, the value for the itsi_policy_id field is the ID of the NEAP.

Solution

Follow these steps to update the value of the itsi_policy_id field to use the ID for the NEAPs:

1. Log in into the Splunk instance with ITSI.
2. Go to the IT Service Intelligence app.
3. Go to Configuration > Notable Event Aggregation Policies.
4. For each NEAP follow these steps:
   1. Select a NEAP, and select the Filter Criteria and Instructions tab.
   2. Under include the events if, replace the value in the itsi_policy_id field as per this table:

      NEAP	Existing itsi_policy_id	New itsi_policy_id
      Episodes by Alarm	cef5eec4-2dcc-11eb-8ffb-0671d5072164	da-itsi-cp-monitoring-alerting-episodes-by-alarm
      Episodes by Alert Group	e3ec489a-04b1-11ea-8567-021bca2da03d	da-itsi-cp-monitoring-alerting-episodes-by-alert-group
      Episodes by ITSI Service	48a35d46-0557-11ea-9716-021bca2da03d	da-itsi-cp-monitoring-alerting-episodes-by-itsi-service
      Episodes by Src	76073f1c-303c-11eb-8ffe-0671d5072164	da-itsi-cp-monitoring-alerting-episodes-by-src

5. Select on Preview results to preview the results for the new NEAP filter criteria.
6. Select Save.