Tune notable event grouping in ITSI
Notable event aggregation polices group notable events to organize them in Episode Review. ITSI provides a file called
itsi_rules_engine.properties, located at
$SPLUNK_HOME/etc/apps/SA-ITOA/default/, where you can tune and customize notable event grouping settings.
Create a local version of
itsi_rules_engine.properties and increase the following settings as necessary to improve notable event grouping on your deployment.
# The period, in seconds, at which to fetch aggregation policies from the KV store. policy_fetch_period = 45 # The number of sub-groups that can be created for an aggregation policy with # split by fields. If you exceed this limit, you will break all sub-groups # that exist for an aggregation policy. sub_group_limit = 10000 # The group index name. index_name = itsi_grouped_alerts # The HTTP token name. token_name = itsi_group_alerts_token # The HTTP sync token name. # NOTE: If the sync token name and the HTTP token name are the same, a token # with async functionality is created. sync_token_name = itsi_group_alerts_sync_token # The timeout value for receiving an acknowledgement from HEC. # When processing a notable event and the action criteria is met, this setting # ensures that the current event is indexed before executing an action. http_ack_time_out = 10 # The default source. default_source = itsi_group_alerts # The default sourcetype. default_sourcetype = itsi_notable:group # The number of events that can be contained in the parent group, which includes # all sub-groups for an aggregation policy with split by fields. If you exceed this # limit, you will break all sub-groups that exist for an aggregation policy. max_event_in_parent_group = 100000000 # The number of events that can be contained in a single sub-group for an aggregation # policy with split by fields. If you exceed this limit you will break the sub-group. max_event_in_group = 10000 # An ACK token ensures that an event is being indexed before running an action on it. # However, events are forwarded to the indexer from the search head, which adds another delay. # This field (in milliseconds) adds an additional delay before running an action on events or groups. # This setting can help you avoid missing notable events while grouping on a slow deployment. action_execution_delay = 0 # When fetching events to perform actions on an episode, the amount of time, in seconds, to # subtract from the earliest_time on the search before executing an action. # This setting helps prevent grouping inaccuracies when events are milliseconds apart. earliest_time_lag = 300 # The delay, in seconds, to batch update episode state. Otherwise, the KV store is accessed too often. # It is recommended that you do not set this to a value below 20. group_state_batch_delay = 28
Set up custom episode actions in ITSI
Ingest third-party alerts as ITSI notable events
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5