Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.0.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Plan an upgrade of IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Overview of Episode Review in ITSI

Use Episode Review to see a unified view of all your service-impacting alerts. Episode Review displays episodes (groups of notable events) and their current status.

A notable event represents an anomalous incident detected by an ITSI multi-KPI alert, a correlation search, or anomaly detection algorithms. For example, a notable event can represent:

  • An alert that ITSI ingests from a third-party product into the itsi_tracked_alerts index.
  • A single KPI (such as cpu_load_percent) that exceeds a pre-defined threshold.
  • The result of a multi-KPI alert that correlates the status of multiple KPIs based on multiple trigger conditions.
  • The result of a correlation search that looks for relationships between data points.
  • An anomaly that has been detected when anomaly detection is enabled.

An episode represents a group of events occurring as part of a larger sequence (an incident or period considered in isolation).

As an analyst, you can use Episode Review to gain insight into the severity of episodes occurring in your system or network. You can use the console to triage new episodes, assign episodes to analysts for review, and examine episode details for investigative leads.

As an administrator, you can manage and customize Episode Review and episode settings.

You can perform actions on episodes, including running a script, sending an email, creating a ticket in ServiceNow or Remedy (if configured), adding a link to a ticket in an external system, and any other custom actions that are configured. You can also automatically perform actions on episodes through the use of notable event aggregation policies. See Notable Event Aggregation Policies in ITSI for more information.

Note: Monitor episodes and actions in Episode Review with the Event Analytics Audit dashboard. For more information, see Event Analytics Audit dashboard in this manual.

Episode management workflow

You can use this example workflow to triage and work on episodes in Episode Review:

  1. An IT operations analyst monitors the Episode Review, sorting and performing high-level triage on newly-created episodes.
  2. When an episode warrants investigation, the analyst acknowledges the episode, which moves the status from New to In Progress.
  3. The analyst researches and collects information on the episode using the drilldowns and fields in the episode details. The analyst records the details of their research in the Comments section of the episode.
  4. If the analyst cannot immediately find the root cause of the episode, the analyst might open a ticket in Remedy or ServiceNow.
  5. After the analyst has addressed the cause of the episode and any remediation tasks have been escalated or solved, the analyst sets the episode status to Resolved.
  6. The analyst assigns the episode to a final analyst for verification.
  7. The final analyst reviews and validates the changes made to resolve the episode, and sets the status to Closed.

When you close an episode created by an aggregation policy, this breaks the episode (no more events can be added to it) even if the breaking criteria specified in the aggregation policy were not met.

Service level permissions

By default, ITSI service-level permissions apply to episodes in Episode Review. This means that a user viewing Episode Review can only see events from services for which the user has read permission. If an event is not associated with a particular service (none of the fields in the event contains service information) then all users can view the event.

The ITSI administrator can choose to disable service-level permissions for Episode Review using the SA-ITOA/default/itsi_team.conf file. To disable service-level permissions for Episode Review, create a new itsi_team.conf file in the SA-ITOA/local directory and set disabled = 1 under the [notable_event_review_security_group] stanza.

If service-level permissions are disabled for Episode Review, all ITSI users can see all notable events, regardless of which service they are associated with. However, service information for services that a user does not have read access to will not be displayed for notable events.

For information about service level permissions, see ITSI Service-level permissions in the Installation and Configuration Manual.

Last modified on 07 December, 2018
ITSI Service Analyzer use case
Triage episodes in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters