Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Correlation search overview for ITSI

A correlation search is a recurring search that scans multiple data sources for defined patterns. You can configure a correlation search to generate a notable event (alert) when search results meet specific conditions. Use Episode Review to review notable events that your correlation searches generate and to initiate the investigative process of determining root cause.

You can use an ITSI correlation search to ingest third-party alerts as ITSI notable events. If you are creating a correlation search to ingest alerts from a third-party product, such as Nagios or SCOM, see Ingest third-party alerts as ITSI notable events for specific instructions.

Do not create correlation searches by manually editing $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf. The search will not appear on the correlation search lister page. Always create correlation searches directly in the IT Service Intelligence app.

Predefined correlation searches

The following correlation searches are delivered with ITSI. By default, they are disabled. You can enable them and modify them to meet your needs.

Name Description
Monitor Critical Service Based on Healthscore Creates notable events for services with a critical health score.
SNMP Traps Creates notable events for SNMP traps being ingested into ITSI. See Ingest SNMP traps in ITSI for more information.
Splunk App for Infrastructure Alerts Creates notable events from Splunk App for Infrastructure alerts when integration is enabled between the Splunk App for Infrastructure and ITSI. See Ingest Splunk App for Infrastructure alerts into ITSI as notable events for more information.
Normalized Correlation Search Creates notable events for any third-party alerts being ingested into ITSI that include ITSI normalized fields. See Normalized correlation search for more information.
Last modified on 16 January, 2019
PREVIOUS
Group similar events with Smart Mode in ITSI 		  NEXT
Create correlation searches in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters