Splunk® IT Service Intelligence

Use Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

Triage episodes in ITSI

Use Episode Review as part of your episode triage workflow. You can monitor episodes and the actions that analysts take to resolve the issues that triggered an episode.

ITSI groups notable events into episodes according to the rules defined in the default aggregation policy or a custom policy you created. See Notable event aggregation policies overview for ITSI for more information.

If service level permissions are enabled for Episode Review, you only see episodes that contain at least one event associated with a service for which you have read permission or at least one event that is not associated with any services. For more information, see Overview of service-level permissions in ITSI.

Acknowledge episodes

When you identify an episode that requires investigation, the first step is to acknowledge the episode. Acknowledging a episode changes its status from New to In Progress and assigns the owner to the current ITSI user.

You can acknowledge an episode with a status of New. If an episode with a status of New is already assigned to an owner, acknowledging the episode changes the owner to the current ITSI user. You can acknowledge multiple episodes as long as at least one of the episodes has a status of New. Only the new episodes are updated to In Progress and assigned to the current user.

  1. Select an episode with a status of New.
  2. ClickAck.pngto assign the episode to the currently logged in ITSI user.

Accelerate triage with filters and sorting

Speed up your episode triage with search filters and sorting. For example, focus on specific episodes with the search filters and time range selector. Episodes contain Severity, Status, and Owner fields to help you categorize, track, and assign them.

You can filter for episodes created by the same aggregation policy by using the Policy filter to type the name of the aggregation policy that created an episode. As you type, the aggregation policy names appear for you to select. You can add more than one filter. For example, you could also add a filter for Owner, Unassigned to see only new episodes that are unassigned.

Click the Sorted by dropdown to select an attribute by which to sort episodes. For example, if you select Severity, the episodes are listed in order of highest to lowest severity level, and sorted secondarily by time. Click the arrow ( Arrow.png ) to switch between ascending and descending order.

Use the search box to search for specific text in an episode. You can use an asterisk as a wild card character. To search for a specific phrase, enclose the phrase in double quotes (for example: "service level alert").

The search field is not case sensitive.

To show which episodes are open (still receiving events) and which episodes are closed (no longer receiving events), click the gear icon ITSI gear.png and select + Add Column > Active Episode.

To save a filtered view of Episode Review, click Save as... and give the view a meaningful name. To access the saved view in the future, click the tab in the top left to pull out the Saved Views panel.
PullOutPane.png

To automatically refresh the dashboard at specific intervals, click the gear icon ITSI gear.png and specify the auto refresh period.

Assign episodes

Episodes are unassigned by default. You can assign one episode at a time, or several at once.

Prerequisite

  • You must have the itoa_admin, itoa_team_admin, or itoa_analyst role to assign episodes to a user.

Steps

  1. Select one or more new episodes.
  2. Click the Unassigned dropdown.
  3. Select an owner to assign the episode to.

If you use SAML authentication, it can take up to 10 minutes to update the list of users that you can assign episodes to.

Update the status of an episode

New episodes have the New status. As analysts triage and move an episode through the episode review workflow, the owner can update the status of the episode to reflect the actions they take to address it.

  1. Select one or more episodes.
  2. Click the status in the toolbar (for example, New). If the selected episodes have different statuses, Original Statuses is displayed.
  3. Change the status. The updated status is reflected in the episode.

If your changes are not immediately visible, check the dashboard filters. For example, if the filter is set to "New" after you changed an episode to "In Progress", your updated episode will not display.

You can choose from the following episode statuses.

Status Description
Unassigned Used by ITSI when an error prevents the episode from having a valid status assignment.
New Default status. The episode has not been reviewed.
In Progress An owner is investigating the episode.
Pending An action must occur before the episode can be closed.
Resolved The owner has addressed the cause of the episode and is waiting for verification.
Closed The resolution of the episode has been verified.

When you update an episode, the change is reflected in the episode but not in the individual events in the episode. For example, if you change the status to "In Progress" for an episode, the status of the episode changes to In Progress, but the individual notable events in the episode retain their own statuses.

PREVIOUS
Overview of Episode Review in ITSI
  NEXT
Investigate episodes in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters