Overview of correlation searches in ITSI
A correlation search in IT Service Intelligence (ITSI) is a recurring search that scans multiple data sources for defined patterns. You can configure a correlation search to generate a notable event (alert) when search results meet specific conditions. Review notable events that your correlation searches generate in Episode Review and initiate the investigative process of determining root cause.
You can use an ITSI correlation search to ingest third-party alerts as ITSI notable events. If you're creating a correlation search to ingest alerts from a third-party product, such as Nagios or SCOM, see Ingest third-party alerts into ITSI for specific instructions.
Do not create correlation searches by manually editing
$SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf. The search will not appear on the correlation search lister page. Always create correlation searches directly in the IT Service Intelligence app.
Correlation searches for ITSI-specific use cases
The following correlation searches are delivered with ITSI to complement product-specific features. You can enable them and modify them to meet your needs.
|Bidirectional Ticketing||Maps ServiceNow fields to Common Information Model (CIM) fields to enable bidirectional ticketing with ServiceNow. See Integrate ITSI with ServiceNow for information.||Disabled|
|Monitor Critical Service Based on Health Score||Generates notable events for services with a critical health score.||Disabled|
|Normalized Correlation Search||Generates notable events for any third-party alerts being ingested into ITSI that include ITSI normalized fields. If you enable this search, ITSI generates notable events for all third-party alerts that contain the following normalized fields, including those from SAI:
|SNMP Traps||Generates notable events for SNMP traps being ingested into ITSI. See Ingest SNMP traps into ITSI for more information.||Disabled|
|Splunk App for Infrastructure Alerts||Generates notable events from Splunk App for Infrastructure (SAI) alerts when you enable integration between SAI and ITSI.
Note: As of ITSI 4.9.0, the Splunk App for Infrastructure is no longer packaged with ITSI.
Overview of Event Analytics in ITSI
Generate events with correlation searches in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.16.0 Cloud only
Feedback submitted, thanks!