Release notes for the Content Pack for ITSI Monitoring and Alerting
Version 2.1.0 of the Content Pack for ITSI Monitoring and Alerting was released on August 31, 2022. The following sections describe the contents of this version.
New features of the Content Pack for ITSI Monitoring and Alerting include the following:
|New feature or enhancement||Description|
|Alert and Episode monitoring services||Two new services have been added: ITSI Alert Analytics and ITSI Episode Analytics, monitoring incoming alert and episode volumes for alert storms, long term trending and greater visibility. Includes new KPIs, Service Analyzer, and service templates.|
|Alert and Episode storm detection capabilities||Based on historical volume trends, Alert and Episode Storms can be detected and analyzed to determine severity, relevance and probable cause. Includes a new Notable Event Aggregation Policy and Saved Episode View.|
|Event and Incident Operations Posture dashboard||Describes overall alert and episode handling trends such as What is the Mean Time to Respond (MTTR) and Mean Time to Acknowledge (MTTA), over time? And which services, alert groups, devices and alert signatures have been the noisiest?|
|Correlation search prefixing is now supported||In prior versions of the content pack, cloned Service Monitoring and Episode Monitoring correlation searches could not be prefixed without breaking certain functionality. This issue has now been addressed. However, because of the complexity in the grouping rules, it is still recommended that you do not clone the Aggregation Policies shipped in this Content Pack.|
|The ITSI KPI Attributes Lookup Generator search now supports more logical default alert_group values||By default, new KPIs inherit the alert_group value of the service instead of using the service name. In other words, if an alert_group value is set on the service health score row of the itsi_kpi_attributes lookup, the generator search will use that alert_group value for any newly-discovered KPIs within that service.|
|Correlation searches now support the
||The ITSI KPI Attributes Lookup Generator search and Service Monitoring correlation searches now supports the itsiInclude field to explicitly disable Service Monitoring for services and KPIs where |
|New macro: filter_itsi_include_is_false||This object in the DA-ITSI-CP-monitoring-alerting/local/macros.conf file determines whether to include an alert based on the itsiInclude field.|
For more information, see Enable or disable service monitoring for certain services and KPIs.
This version of the Content Pack for ITSI Monitoring and Alerting has these reported fixed issues. If no fixed issues are listed in the following table, no issues have been reported.
|Dashboard performance improvements||The ITSI Service and KPI Severity Analytics dashboard and ITSI Service and KPI Threshold Analytics dashboard have been refactored for better performance and usability. These dashboards no longer depend on the |
|Knowledge objects / searches now use macros to specify indexes||All occurrences of hard-coded indexes in knowledge objects have been replaced with macros for better usability and flexibility. Users can update the macro index if required to use their customized index..|
|Universal Correlation Search (UCS) performance improvements||The Universal Correlation Search has been refactored for better performance.|
|The Episode Monitoring correlation search, Set Episode to Highest Alarm Severity, now works with pseudo entities||Previously when using pseudo entities with ITSI services, event grouping did not work with the correlation search, Set Episode to Highest Alarm Severity because it would clear the |
|Performance and scaling improvements for the saved search, itsi_entity_name_normalizer||This saved search ensures that all entities have a normalized 'entity_name' alias, but would fail if the total number of entities was greater than 50,000. It now can scale beyond 50,000 entities, and performs more efficiently.|
|Bug fixes for Saved Episode Views||When used, the Episode Views would cause the 'Count' column in Alerts and Episodes to disappear. This issue affected four Episode Views: Episodes - All, Episodes - Adjusted by Episode Monitor, Episodes - New (untriaged), and Episodes - Open. This has now been resolved.|
|The example service tree "ITSI Monitoring" has been removed||This service tree was created for demonstration purposes only and created more confusion than benefit. To test or demonstrate the functionality of the content pack with a real world service tree, it is recommended that you install the Monitoring Splunk as a Service content pack.|
|Fixed intermittent duplication of Episode Monitoring notable events||The Episode Monitoring correlation searches use alert throttling functionality to prevent duplicate alerts from being created; however these searches were configured to throttle on an invalid itsi_tracked_alerts field which could result in duplicate Episode Monitoring alerts.|
This version of the Content Pack for ITSI Monitoring and Alerting has the following reported known issues and workarounds. If no issues appear below, no issues have yet been reported.
About the Content Pack for ITSI Monitoring and Alerting
Install and configure the Content Pack for ITSI Monitoring and Alerting
This documentation applies to the following versions of Content Pack for ITSI Monitoring and Alerting: 2.1.0