Customize episode statuses in ITSI
As an IT Service Intelligence (ITSI) administrator, you can adjust the episode status names to fit your organization's investigation workflow. The status aligns with the stages of an investigation, and can be used to review and report on the progress of an episode investigation in Episode Review.
The following default statuses are available for episodes:
Status | Description |
---|---|
Unknown | Used by ITSI when an error prevents the episode from having a valid status assignment. |
New | Default status. The episode is logged but has not been triaged. |
In Progress | The episode is assigned and the owner is investigating the issue. |
Pending | The responsibility for the episode shifts temporarily to another entity to provide further information, evidence, or a resolution. An action must occur before the episode can be closed. |
Resolved | The owner has addressed the cause of the episode and is waiting for verification. A satisfactory fix is provided to ensure it doesn't occur again. |
Closed | It's confirmed that the episode is satisfactorily resolved. |
Edit episode statuses
Every episode is assigned a status of New by default when it is created by an aggregation policy. You can customize episode statuses to match an existing workflow in your organization.
Prerequisites
- Only users with file system access, such as system administrators, can edit episode statuses using configuration files.
- Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
- You can have configuration files with the same name in your default, local, and app directories. Read Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.
Steps
- Open or create a local itsi_notable_event_status.conf file at
$SPLUNK_HOME/etc/apps/SA-ITOA/local
. - Add, modify, or remove statuses as necessary depending on the existing workflow in your organization.
Do not edit the Unassigned and New statuses because they are defaults used when creating episodes.
[0] label = Unassigned description = An error is preventing the issue from having a valid status assignment ## Enable status "new" ## Enable selected (automatically selects status element in applicable UI pulldowns) [1] disabled = 0 default = 1 label = New description = Event has not been reviewed ## Enable status "in progress" [2] disabled = 0 label = In Progress description = Investigation or response is in-process ## Enable status "pending" [3] disabled = 0 label = Pending description = Event closure is pending some action ## Enable status "resolved" [4] disabled = 0 label = Resolved description = The issue has been resolved and awaits verification ## Enable status "closed" [5] disabled = 0 label = Closed description = Issue has been resolved and verified end = 1
Modify analyst permissions within Episode Review in ITSI | Customize episode severities in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!