Overview of notable events in ITSI
A notable event is the foundational unit of the IT Service Intelligence (ITSI) Event Analytics functionality. A notable event is a stored alert with a unique ID, time, status, severity, and owner. Notable events are typically generated by a correlation search, but they can also be directly fed into the system by anomaly detection or other REST sources.
Notable events are fed into the Event Analytics Rules Engine to create episodes and trigger episode actions. For more information about how the Rules Engine functions, see About the ITSI Rules Engine.
Splunk IT Service Intelligence (ITSI) implements custom indexes for notable event storage. In a single instance deployment, the installation of ITSI creates the indexes in $SPLUNK_HOME/var/lib/splunk
.
The following table lists the indexes used to store notable event and episode metadata:
Index | Description |
---|---|
itsi_tracked_alerts | Stores active raw notable event data. |
itsi_notable_audit | Stores all audit events for episodes, including actions, comments, status change, and owner change. |
itsi_grouped_alerts | Stores active episode data. |
itsi_notable_archive | Stores episode tags that have been moved from the KV store after a default 6 month retention period, which begins when you close an episode in the UI. Moving data from the KV store removes extraneous data and helps improve performance. |
ITSI uses an indexed real-time search to retrieve notable events from the Splunk platform. Indexed real-time searches have a delay of about 90 seconds before events get processed. Using concurrent real-time search instead of indexed real-time search is not supported for the itsi_event_grouping
search because it significantly impacts system performance.
Ingest third-party alerts into ITSI | Modify notable event KV store collections in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!