
Correlation search overview for ITSI
A correlation search is a recurring search that scans multiple data sources for defined patterns. You can configure a correlation search to generate a notable event (alert) when search results meet specific conditions. Use Episode Review to review notable events that your correlation searches generate and to initiate the investigative process of determining root cause.
You can use an ITSI correlation search to ingest third-party alerts as ITSI notable events. If you are creating a correlation search to ingest alerts from a third-party product, such as Nagios or SCOM, see Ingest third-party alerts as ITSI notable events for specific instructions.
Do not create correlation searches by manually editing $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf. The search will not appear on the correlation search lister page. Always create correlation searches directly in the IT Service Intelligence app.
Predefined correlation searches
The following correlation searches are delivered with ITSI. By default, they are disabled. You can enable them and modify them to meet your needs.
Name | Description |
---|---|
Monitor Critical Service Based on Healthscore | Creates notable events for services with a critical health score. |
SNMP Traps | Creates notable events for SNMP traps being ingested into ITSI. See Ingest SNMP traps in ITSI for more information. |
Splunk App for Infrastructure Alerts | Creates notable events from Splunk App for Infrastructure alerts when integration is enabled between the Splunk App for Infrastructure and ITSI. See Ingest Splunk App for Infrastructure alerts into ITSI as notable events for more information. |
Normalized Correlation Search | Creates notable events for any third-party alerts being ingested into ITSI that include ITSI normalized fields. See Normalized correlation search for more information. |
PREVIOUS Group similar events with Smart Mode in ITSI |
NEXT Create correlation searches in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5
Feedback submitted, thanks!