Configure correlation searches in ITSI
Configure correlation searches to update the settings associated with how they run, change the search logic, and throttle alerts. See Correlation search overview for ITSI to learn more about correlation searches.
|Search Name||A name that describes the correlation search. For example, "cpu_load_percent".||None|
|Description||(Optional) A description of the type of issue the search is intended to detect.||None|
|Search Type||The correlation search type:
|Time range||The time range over which the correlation search applies.|
|Service||Select one or more ITSI services to which this correlation search applies. You can only select services that belong to teams for which you have read access.||None|
|Entity Lookup Field||The field in the data retrieved by the correlation search that is used to look up corresponding entities. For example,
|Schedule Type||Configure the schedule for the correlation search:
Use this section to configure the notable event that is generated when search results meet a specific condition. The Splunk platform indexes the event object like any other event. You can track, manage, and update notable events in Episode Review.
ITSI correlation searches support field substitution with tokens in the format
%fieldname%. Use field substitution to map third-party alert field values to corresponding notable event fields. See Use ITSI correlation search to ingest alerts for specific examples.
|Notable Event Title||The title of the notable event in Episode Review. For example,
|Notable Event Description||A brief phrase to describe the notable event. For example, "This alert triggers when DB CPU load on the mysql-01 server reaches 80%."||None|
|Owner||The ITSI role to which the notable event is assigned in Episode Review.|
|Severity||The level of importance of the event.
|Status||The triage status of the event in Episode Review.
|Drilldown Search Name||You can drill down to a specific Splunk search from the Overview tab of Episode Review for an individual notable event or from the Grouped Events tab for a group of notable events. Set the name of the drilldown search link.||None|
|Drilldown Search||The search you drill down to.||None|
|Drilldown earliest offset||Defines how far back from the time of the event to start looking for related events.|
|Drilldown latest offset||Defines how far ahead from the time of the event to look for related events.|
|Notable Event Identifier Fields||Determine whether a notable event is unique or not. These identifier fields form the event hash field, which is added to every notable event to help identify unique alarm types.|
|Drilldown Website Name||You can drill down to a specific website from the Overview tab of Episode Review. Set the name of the drilldown website link.||None|
|Drilldown Website URL||The website you drill down to.||None|
When correlation search results meet specific conditions, the search generates a new alert. This can create multiple alerts for the same condition. In most cases, it is best to have a single alert for the same condition. Throttling prevents the creation of multiple alerts for the same condition during a specified time range.
Throttling applies to any correlation search alert type, including notable events and actions (RSS feed, email, run script, and ticketing).
|Suppress Period||During the suppress period, any additional event that matches any of the Fields to group by does not create a new alert. After the suppress period passes, the next matching event creates a new alert, and throttling conditions resume. Enter a relative time range in seconds. For example "60s" (60 seconds).|
|Fields to group by||Fields to compare for similar events. For example, |
During the suppress period, any additional matches in the correlation search results are compared to the fields defined here. If a field matches, it stops the creation of a new alert. You can define multiple fields. The fields available depend on the search fields that the correlation search returns.
Actions are other alert types that a correlation search can trigger. You configure action alerts independently from other alert types, such as Notable Events and Risk Scoring.
|Include in RSS feed||Posts the correlation search alert on the Splunk Enterprise RSS feed.|
|Send email||Sends an email about the correlation search alert. |
The schedule_search capability and the admin_all_objects capability are required for PDF delivery scheduling.
Note: Email actions require that you configure the mail server in Splunk Enterprise. See Configure email notification settings in the Alerting Manual.
|Run a script||Triggers a shell script. See Configure scripted alerts in the Alerting Manual.|
Create correlation searches in ITSI
Create multi-KPI alerts in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5
Feedback submitted, thanks!