Normalize event fields in ITSI
Normalizing event fields in IT Service Intelligence (ITSI) lets you search similar alerts across multiple alert sources much more easily. It also standardizes methods for "grooming" alerts, regardless of their source.
Normalize entity fields
Add a new alias field called
entity_name to every entity which might be used as the Entity Lookup field in a notable event correlation search. As a best practice, add
entity_name to each entity as an alias containing the title of the entity.
- Click Configuration > Entities.
- Click Create Entity > Import from Search.
- Enter the following ad-hoc search:
| inputlookup itsi_entities | eval entity_name=title
- Click Next.
- For the
entity_namerow, change the Import Column As field to
Entity Title. Leave all others as
Do Not Import
- Make sure Conflict Resolution is set to
Update Existing Entities.
- Click Import.
After the import completes, click View All Entities, then select any entity. It should have an alias field
entity_name which contains the name of the entity itself. This field can be used for all notable event correlation searches as the
Entity Lookup Field
Ingest SNMP traps into ITSI
Overview of notable events in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.16.0 Cloud only
Feedback submitted, thanks!