Splunk® IT Service Intelligence

User Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.1.x reached its End of Life on January 19, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Investigate episodes in ITSI

After you finish triaging episodes, begin your investigation. Use the available fields on an episode to assess the urgency, contributing KPIs, and impacted entities associated with the episode.

Select an episode to open the episode details and learn more about the episode.

  • Use the Impact tab to view the services, KPIs, and entities that were impacted by the episode. Services are sorted by health score and KPIs are sorted by alert level. Select an impacted service or KPI to open it in Service Analyzer. The "Impacted Entities" section shows the highest outstanding event for each entity.
  • Review the Common Fields tab to see the fields shared by all events in the episode.
  • Review the Activity to see the recent investigation activity on the episode.
  • Use the All Events tab to see the individual notable events contained within the episode and a chart with event severity levels over time. For information on configuring drilldowns from this table, see the Notable Events section of the correlation search configuration.

If service level permissions are enabled for Episode Review, you only see the events you have permission to view in the All Events tab. If there are any events you do not have permission to view, the number of events you see is less than the number in the episode event count.

Any notable events that ITSI generates during a Splunk Enterprise restart are backfilled into episodes after restart. For more information, see Backfill notable events into episodes.

See a timeline of individual events

When viewing event details for an episode (a group of events), you can use the Events Timeline to see when individual events occurred. The timeline gives you a detailed look into the notable events contained within each episode and lets you perform a more granular root cause analysis. Colored bars (according to severity) represent individual events.


Use the Sort for and Group by menus to change how events are organized in the timeline, depending on what kind of analysis you want to do.

Sort for

The Sort for menu determines how events are sorted in the timeline.

Setting Description
Alarm state analysis Sorts events according to severity, with the most recent, most severe events appearing first. This view focuses on the changing state of the episode and is useful for assessing what is currently broken.
Root cause analysis Sorts events according to when the first event occurred. The exclamation mark identifies the first event in the group to experience a state change (the first event that was no longer "normal" within the context of the group). This view focuses on the cause of the episode and is useful for root cause analysis.

Group by

The Group by menu determines how events are grouped in the timeline.

Setting Description
Event type Groups events according to event type, which is the field generated by the values of the event identifier fields specified in the correlation search.
Entity Groups events according to the entity they are associated with.

Select an event type or entity name to open a separate table with all the events in that row. Click Edit Columns to add, remove, and reorder columns.


Last modified on 26 February, 2019
Triage episodes in ITSI
Take action on an episode in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters