Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

About the default aggregation policy in ITSI

The default aggregation policy in IT Service Intelligence (ITSI) groups notable events that don't match the filtering criteria of any other policies you create. If you don't want to create your own aggregation policies, use the default policy to group events. You can't delete or disable the default policy. For more information about aggregation policies in ITSI, see Notable event aggregation policies overview for ITSI.

Only a user assigned the itoa_admin role, or a role that inherits from itoa_admin, can modify the default aggregation policy.

The default aggregation policy has the following characteristics:

    • Doesn't include any filtering criteria. The default policy catches events not captured by the filtering criteria of any other aggregation policies, so you can't add any.
    • Splits events into multiple episodes by the source field. You can change the field that is used to split events, specify more than one field by which to split events, or choose to not split events by not specifying a field name.
    • The episode breaks if the flow of events is paused for 7200 seconds (2 hours). You can change the length of time or modify the breaking criteria.
    • Episode information such as Episode Title, Episode Description, and Episode Severity are set to be the same as the first event in the episode.
    • No action rules are defined.

To view or modify the default aggregation policy, click Configure > Notable Event Aggregation Policies > Default Policy.

The default policy doesn't have Smart Mode enabled, but you can enable it yourself. For information on enabling Smart Mode, see Group similar events with Smart Mode in ITSI.

For information on modifying the default aggregation policy or creating a new aggregation policy, see Create a custom aggregation policy in ITSI.

Last modified on 03 March, 2020
Notable event aggregation policies overview for ITSI
Create a custom aggregation policy in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters