Splunk® IT Service Intelligence

Event Analytics Manual

Splunk IT Service Intelligence (ITSI) version 4.12.x reached its End of Life on January 22, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.

Normalize event fields in ITSI

Normalizing event fields in IT Service Intelligence (ITSI) lets you search similar alerts across multiple alert sources much more easily. It also standardizes methods for "grooming" alerts, regardless of their source.

Normalize entity fields

Add a new alias field called entity_name to every entity which might be used as the Entity Lookup field in a notable event correlation search. As a best practice, add entity_name to each entity as an alias containing the title of the entity.

  1. Click Configuration > Entities.
  2. Click Create Entity > Import from Search.
  3. Enter the following ad-hoc search:

    | inputlookup itsi_entities | eval entity_name=title

  4. Click Next.
  5. For the entity_name row, change the Import Column As field to Entity Title. Leave all others as Do Not Import
  6. Make sure Conflict Resolution is set to Update Existing Entities.
  7. Click Import.

After the import completes, click View All Entities, then select any entity. It should have an alias field entity_name which contains the name of the entity itself. This field can be used for all notable event correlation searches as the Entity Lookup Field

Last modified on 28 April, 2023
Ingest SNMP traps into ITSI   Ingest third-party alerts into ITSI with correlation searches

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters