Create a custom aggregation policy in ITSI
You can create one or more customized notable event aggregation policies. By default, users assigned the itoa_admin role or itoa_team_admin role can create, modify, and delete aggregation policies. Users assigned the itoa_analyst role can view notable event aggregation policies but cannot modify or delete them.
If you want to use Smart Mode in a custom aggregation policy, you must first create and save the custom aggregation policy. After you save the policy, re-open it to turn on and configure Smart Mode.
What aggregation policies do
An aggregation policy lets you group notable events into episodes based on the following criteria:
- A field matches a string
- A field does not match a string
- A field is greater than a number
- A field is greater than or equal to a number
- A field is less than a number
- A field is less than or equal to a number
The field can be the name of a saved search, the name of a field from a raw event, or the
Owner field of the notable event. You can create rules based on multiple AND/OR conditions.
An aggregation policy lets you control the grouping of events in the following ways:
- Split events into multiple episodes by one or more fields, such as
- Stop grouping when certain criteria are met. For example, when a certain number of events is reached, the episode has existed for a certain amount of time, or a certain event occurs, such as
Severity matches Normal. These are called breaking conditions. You can have multiple breaking conditions.
An aggregation policy lets you take the following actions on an episode:
- Change the severity
- Change the status
- Change the owner
- Add a comment
- Run a script
- Send an email
- Ping a host
- Create an incident in ServiceNow (requires the Splunk Add-on for ServiceNow)
- Create an incident in Remedy (requires the Splunk Add-on for Remedy)
- Create an incident in VictorOps (requires VictorOps For Splunk)
- Other custom actions that have been configured
All actions might not be available if role-based permissions are set. For information about episode actions, see Take action on an episode in ITSI.
Create an aggregation policy
When creating a new policy, be mindful of the policies that have already been created. Multiple aggregation policies can be created with filtering criteria that capture the same set or subset of events. If the same notable events are captured by more than one policy, the action rules from each policy are applied to the notable events.
To create an aggregation policy:
- Click Configure > Notable Event Aggregation Policies. The default policy and any other policies that have been created are listed.
- Click Create Notable Event Aggregation Policy. The Filtering Criteria step opens.
You can create rules for determining which notable events are included in the group based on multiple AND/OR conditions. You can use wildcard characters in fields. You must specify at least one rule.
|Include the events if||Click + Add Rule (OR) to add rules for including events in this group. For example, you could specify |
For example, if there are three rules in the first block and two rules in the second block, the total clause would read "(Rule1 AND Rule2 AND Rule3) OR (Rule1 AND Rule2)".
|Split events by field||Split events into separate groups based on one or more field names. Each field is considered separately. For example, if you split by |
|Break episode||Add breaking conditions to stop grouping. If the conditions are met, the current episode ends and a new episode is started. For example, an episode might end when the number of events reaches a certain number, the episode has existed for a certain amount of time, or when a certain event (that meets the filtering criteria for the episode) occurs. Use wildcards to search for a string in a field. |
For example, you might enter "Break episode if the following event occurs:
If an episode is closed in Episode Review, this automatically breaks the episode.
|Episode Information||Specify how you want episode information to appear in Episode Review. This information is at the episode level and is separate from the information for the underlying notable events in the episode.
Add action rules to take specific actions on each episode created by the aggregation policy. Action rules are optional. You can define more than one action rule per aggregation policy.
- Use the If pane to specify the trigger conditions for the action(s).
- Use the Then pane to specify the actions to take if the trigger conditions are met.
For example, if you want to close the episode and change the severity level to Info when a clearing event comes in, you could specify the following:
If the following event occurs:
Normal, change severity to
Info for the episode, add a comment
Don't worry for the episode, and change status to
Closed for the episode.
Choose from the following default actions:
|Change severity||For example, change the severity to |
|Change status||For descriptions of each status, see Update the status of an episode.
Changing an episode's status to
|Change owner||Episodes are unassigned by default.|
|Add a comment||Does not accept token replacement.|
|Ping a host||Provide the event field that contains the host that you want to ping in the Host field. For example, |
|Send an email||For information on configuring an email, see Send an email in the ITSI User Manual.|
|Run a script||Provide the file name of the script stored in |
|Create an incident in ServiceNow||Requires the Splunk Add-on for ServiceNow. For configuration information, see Create a ticket in ServiceNow or Remedy|
|Create an incident in Remedy||Requires the Splunk Add-on for Remedy. For configuration information, see Create a ticket in ServiceNow or Remedy.|
|Create an incident in VictorOps||Requires VictorOps For Splunk. For configuration information, see Create a ticket in VictorOps.|
Specify a title and description for your notable event aggregation policy. The policy is enabled by default and immediately takes effect. Disable it if you do not want it to take effect yet.
Click Next and you will see the message that the policy has been successfully created. After the policy has been created, new incoming notable events are grouped in Episode Review according to the criteria in the policy. Note that notable events that existed before the policy was created are not grouped by the policy.
Enable Smart Mode on an aggregation policy
After creating and saving a custom aggregation policy, you can edit the policy to enable and configure Smart Mode. For information on enabling Smart Mode, see Enable Smart Mode in ITSI.
Set aggregation policy permissions
After you create a notable event aggregation policy, set read/write permissions for it to control who can modify or read it.
- Click Configure > Notable Event Aggregation Policies.
- Locate the policy and click Edit > Edit Permissions.
- Assign read or write permissions to roles as desired.
You cannot assign write permissions unless the role possesses the write_itsi_notable_aggregation_policy capability.
- Click Save.
About the default aggregation policy in ITSI
Group similar events with Smart Mode in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5