Splunk® IT Service Intelligence

Event Analytics Manual

Splunk IT Service Intelligence (ITSI) version 4.11.x reached its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.

Customize episode statuses in ITSI

As an IT Service Intelligence (ITSI) administrator, you can adjust the episode status names to fit your organization's investigation workflow. The status aligns with the stages of an investigation, and can be used to review and report on the progress of an episode investigation in Episode Review.

The following default statuses are available for episodes:

Status Description
Unknown Used by ITSI when an error prevents the episode from having a valid status assignment.
New Default status. The episode is logged but has not been triaged.
In Progress The episode is assigned and the owner is investigating the issue.
Pending The responsibility for the episode shifts temporarily to another entity to provide further information, evidence, or a resolution. An action must occur before the episode can be closed.
Resolved The owner has addressed the cause of the episode and is waiting for verification. A satisfactory fix is provided to ensure it doesn't occur again.
Closed It's confirmed that the episode is satisfactorily resolved.

Edit episode statuses

Every episode is assigned a status of New by default when it is created by an aggregation policy. You can customize episode statuses to match an existing workflow in your organization.

Prerequisites

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps

  1. Open or create a local itsi_notable_event_status.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local.
  2. Add, modify, or remove statuses as necessary depending on the existing workflow in your organization.

    Do not edit the Unassigned and New statuses because they are defaults used when creating episodes.

    [0]
    label = Unassigned
    description = An error is preventing the issue from having a valid status assignment
    
    ## Enable status "new"
    ## Enable selected (automatically selects status element in applicable UI pulldowns)
    [1]
    disabled = 0
    default = 1
    label = New
    description = Event has not been reviewed
    
    ## Enable status "in progress"
    [2]
    disabled = 0
    label = In Progress
    description = Investigation or response is in-process
    
    ## Enable status "pending"
    [3]
    disabled = 0
    label = Pending
    description = Event closure is pending some action
    
    ## Enable status "resolved"
    [4]
    disabled = 0
    label = Resolved
    description = The issue has been resolved and awaits verification
    
    ## Enable status "closed"
    [5]
    disabled = 0
    label = Closed
    description = Issue has been resolved and verified
    end = 1
     
Last modified on 28 April, 2023
Modify analyst permissions within Episode Review in ITSI   Customize episode severities in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters