Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.1.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Customize Episode Review in ITSI

As a Splunk ITSI administrator, you can customize the way that analysts view and interact with events and episodes in Episode Review.

Modify which events analysts can see

By default, ITSI service-level permissions apply to episodes in Episode Review. This means that analysts viewing Episode Review can only see events from services for which they have read permission. If an event is not associated with a particular service (none of the fields in the event contains service information) then all users can view the event.

The ITSI administrator can choose to disable service-level permissions for Episode Review using the itsi_team.conf file. To disable service-level permissions for Episode Review, create a new itsi_team.conf file in the SA-ITOA/local directory and set disabled = 1 under the [notable_event_review_security_group] stanza.

If service-level permissions are disabled for Episode Review, all ITSI users can see all notable events, regardless of which service they are associated with. However, service information for services that a user does not have read access to will not be displayed for notable events.

For information about service-level permissions, see ITSI Service-level permissions in the Installation and Configuration Manual.

Modify analyst permissions

Configure read/write permissions on a saved view of Episode Review to restrict permissions for certain roles. By default, read and write permissions are granted to "Everyone" (all roles) for a newly created Episode Review.


  • You must have the itoa_admin or itoa_team_admin role, or be assigned the configure_perms capability, to set permissions on a saved Episode Review. For more information, see Configure users and roles in ITSI.


  1. Within Episode Review, click the side arrow to show alternate views.
  2. Click Full Lister Page.
  3. On the Episode Review lister page, click Edit > Permissions on the saved view you want to edit.
  4. Allow or prevent analysts from reading or writing to the saved Episode Review. Everyone is granted read/write access by default.
  5. Click Save.

Change Episode Review columns

You can change the columns displayed in a saved Episode Review.

  1. Click the gear icon to open the View Settings modal.
  2. Use the Columns Shown section to edit, remove, or change the order of the available columns.
  3. Add custom columns by selecting Add Column.
  4. Click Done.
Last modified on 12 February, 2019
ITSI Predictive Analytics use case
Manage notable events in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.1.0, 4.1.1, 4.1.2, 4.1.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters