Investigate episodes in ITSI
After you finish triaging episodes, begin your investigation. Use the available fields on an episode to assess the urgency, contributing KPIs, and impacted entities associated with the episode.
Select an episode to open the episode details and learn more about the episode.
- Use the Impact tab to view the services, KPIs, and entities that were impacted by the episode. Services are sorted by health score and KPIs are sorted by alert level. Select an impacted service or KPI to open it in Service Analyzer. The "Impacted Entities" section shows the highest outstanding event for each entity.
- Review the Common Fields tab to see the fields shared by all events in the episode.
- Review the Activity to see the recent investigation activity on the episode.
- Use the All Events tab to see the individual notable events contained within the episode and a chart with event severity levels over time. For information on configuring drilldowns from this table, see the Notable Events section of the correlation search configuration.
If service level permissions are enabled for Episode Review, you only see the events you have permission to view in the All Events tab. If there are any events you do not have permission to view, the number of events you see is less than the number in the episode event count.
Any notable events that ITSI generates during a Splunk Enterprise restart are backfilled into episodes after restart. For more information, see Backfill notable events into episodes.
See a timeline of individual events
When viewing event details for an episode (a group of events), you can use the Events Timeline to see when individual events occurred. The timeline gives you a detailed look into the notable events contained within each episode and lets you perform a more granular root cause analysis. Colored bars (according to severity) represent individual events.
Use the Sort for and Group by menus to change how events are organized in the timeline, depending on what kind of analysis you want to do.
The Sort for menu determines how events are sorted in the timeline.
|Alarm state analysis||Sorts events according to severity, with the most recent, most severe events appearing first. This view focuses on the changing state of the episode and is useful for assessing what is currently broken.|
|Root cause analysis||Sorts events according to when the first event occurred. The exclamation mark identifies the first event in the group to experience a state change (the first event that was no longer "normal" within the context of the group). This view focuses on the cause of the episode and is useful for root cause analysis.|
The Group by menu determines how events are grouped in the timeline.
|Event type||Groups events according to event type, which is the field generated by the values of the event identifier fields specified in the correlation search.|
|Entity||Groups events according to the entity they are associated with.|
Select an event type or entity name to open a separate table with all the events in that row. Click Edit Columns to add, remove, and reorder columns.
Triage episodes in ITSI
Take action on an episode in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5