Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Tune notable event grouping in ITSI

Notable event aggregation polices group notable events to organize them in Episode Review. ITSI provides a file called itsi_rules_engine.properties, located at $SPLUNK_HOME/etc/apps/SA-ITOA/default/, where you can tune and customize notable event grouping settings.

Create a local version of itsi_rules_engine.properties and increase the following settings as necessary to improve notable event grouping on your deployment.

# The period, in seconds, at which to fetch aggregation policies from the KV store.
policy_fetch_period = 45

# The number of sub-groups that can be created for an aggregation policy with
# split by fields. If you exceed this limit, you will break all sub-groups
# that exist for an aggregation policy.
sub_group_limit = 10000

# The group index name.
index_name = itsi_grouped_alerts

# The HTTP token name.
token_name = itsi_group_alerts_token

# The HTTP sync token name.
# NOTE: If the sync token name and the HTTP token name are the same, a token 
# with async functionality is created.
sync_token_name = itsi_group_alerts_sync_token

# The timeout value for receiving an acknowledgement from HEC.
# When processing a notable event and the action criteria is met, this setting
# ensures that the current event is indexed before executing an action. 
http_ack_time_out = 10

# The default source.
default_source = itsi_group_alerts

# The default sourcetype.
default_sourcetype = itsi_notable:group

# The number of events that can be contained in the parent group, which includes
# all sub-groups for an aggregation policy with split by fields. If you exceed this
# limit, you will break all sub-groups that exist for an aggregation policy.
max_event_in_parent_group = 100000000

# The number of events that can be contained in a single sub-group for an aggregation
# policy with split by fields. If you exceed this limit you will break the sub-group.
max_event_in_group = 10000

# An ACK token ensures that an event is being indexed before running an action on it.
# However, events are forwarded to the indexer from the search head, which adds another delay.
# This field (in milliseconds) adds an additional delay before running an action on events or groups.
# This setting can help you avoid missing notable events while grouping on a slow deployment.
action_execution_delay = 0

# When fetching events to perform actions on an episode, the amount of time, in seconds, to 
# subtract from the earliest_time on the search before executing an action. 
# This setting helps prevent grouping inaccuracies when events are milliseconds apart. 
earliest_time_lag = 300

# The delay, in seconds, to batch update episode state. Otherwise, the KV store is accessed too often. 
# It is recommended that you do not set this to a value below 20.
group_state_batch_delay = 28
Last modified on 03 April, 2019
PREVIOUS
Set up custom episode actions in ITSI
  NEXT
Ingest third-party alerts as ITSI notable events

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters