Splunk® IT Service Intelligence

Event Analytics Manual

Splunk IT Service Intelligence (ITSI) version 4.12.x reached its End of Life on January 22, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.

Restore active episodes when the Rules Engine restarts in ITSI

The Rules Engine itsi_event_grouping search in IT Service Intelligence (ITSI) is responsible for aggregating notable events into episodes. If the Rules Engine is disabled, either during a restart of Splunk Enterprise or manually by a user, it stops grouping notable events.

When the Rules Engine restarts and the itsi_event_grouping search is re-enabled, the Rules Engine restores active episodes over the last 90 days. Then it searches for notable events that were missed while the search was disabled and backfills them accordingly into episodes. This functionality is distinctly different than periodic backfill, which only functions when the Rules Engine is up and running. Periodic backfill looks for events missed because of data unavailability on the indexers. For more information, see Configure Rules Engine periodic backfill in ITSI.

The default lookback time for missed events and episodes is 2160 hours (90 days). If you expect episodes in your environment to remain active for more than 90 days, you can increase the lookback time by modifying the group_restore_lookback_time field in the itsi_rules_engine.properties file.

Prerequisites

  • Only users with file system access, such as system administrators, can modify the Rules Engine lookback time.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.

Steps

  1. Open or create a local copy of the itsi_rules_engine.properties file at $SPLUNK_HOME/etc/apps/SA-ITOA/local/.
  2. Add the following setting to the file: group_restore_lookback_time = <number of hours>.

    For example, to look back two days, add the following setting:
    group_restore_lookback_time = 48
    
Last modified on 28 April, 2023
Tune episode and aggregation policy sizing parameters in ITSI   Configure Rules Engine periodic backfill in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters