itsi_event_management.conf

The following are the spec and example files for itsi_event_management.conf.

itsi_event_management.conf.spec

# This file contains attributes and values for configuring different ITSI
# event management features.
#
# There is an itsi_event_management.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/.
# To set custom configurations, place an itsi_event_management.conf in
# $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles

GLOBAL SETTINGS

# Use the [default] stanza to define any global settings.
#  * You can also define global settings outside of any stanza, at the top
#    of the file.
#  * Each .conf file should have at most one default stanza. If there are
#    multiple default stanzas, attributes are combined. In the case of
#    multiple definitions of the same attribute, the last definition in the
#    file wins.
#  * If an attribute is defined at both the global level and in a specific
#    stanza, the value in the specific stanza takes precedence.

[<stanza_name>]

* A setting that you want to enable for Episode Review.
* Supported settings (stanzas) are 'similar_episodes' and 'common_fields'

[similar_episodes]

default_fields = <comma-seperated list>
* The list of field names selected by default in Similar Episodes pane
* For example, ["title","description","host"]
* Default: ["title"]

[common_fields]

number_of_fields = <integer|all>
* The number of common fields to display on the Common Fields tab of an episode.
* Can be a positive integer or the word "all" to display all common fields.
* For example, "50" displays 50 common fields.
* Default: 50

[migration]

The settings in this stanza apply to upgrades from pre-4.6.0 ITSI versions to
version 4.6.0 or later. The settings support the addition of the following
fields to the itsi_notable_group_system KV store collection: parent_group_id,
split_by_hash, first_event_id, and group_template_id. If you are upgrading from
ITSI version 4.6.0 or later, these settings no longer apply.

kv_store_batch_size = <integer>
* The maximum batch size of fetch requests to the itsi_notable_group_system
  KV store collection.
* For example, if set to "10000", 10,000 objects are fetched
  from the KV store in a single fetch request.
* Default: 10000

cluster_manager_check_required = <integer>
* Whether a cluster manager check is required before migration starts.
* If set to "1", a cluster manager check is required.
* If set to "0", migration proceeds without a cluster manager check.
* Default: 1

itsi_grouped_alerts_index_lookback = <integer>
* The amount of time, in days, to look back to fetch old active groups from the itsi_grouped_alerts index.
* For example, if set to "60", active groups from last two months are fetched from the index.
* Default: 90

itsi_grouped_alerts_index_search_wait_time = <integer>
* The amount of time, in seconds, to wait for the search job to return results from the itsi_grouped_alerts index.
* For example, if set to "900", the search job will wait for 15 minutes to return results from the index.
* Default: 7200

[precheck]

The settings in this stanza apply to upgrades from pre-4.6.0 ITSI versions to
version 4.6.0 or later. The settings suppport the prechecks that runs before
the migration happens.

kv_store_collection_size_limit = <integer>
* The maximum number of a single object type allowed in any KV store collection.
* For example, if set to "1000000", 1000000 objects of a single type are allowed in a KV store collection. 
* Default: 1000000

itsi_event_management.conf.example

No example