Normalize event fields in ITSI
Normalizing event fields in IT Service Intelligence (ITSI) lets you search similar alerts across multiple alert sources much more easily. It also standardizes methods for "grooming" alerts, regardless of their source.
Normalize entity fields
Add a new alias field called entity_name
to every entity which might be used as the Entity Lookup field in a notable event correlation search. As a best practice, add entity_name
to each entity as an alias containing the title of the entity.
- Click Configuration > Entities.
- Click Create Entity > Import from Search.
- Enter the following ad-hoc search:
| inputlookup itsi_entities | eval entity_name=title
- Click Next.
- For the
entity_name
row, change the Import Column As field toEntity Title
. Leave all others asDo Not Import
- Make sure Conflict Resolution is set to
Update Existing Entities
. - Click Import.
After the import completes, click View All Entities, then select any entity. It should have an alias field entity_name
which contains the name of the entity itself. This field can be used for all notable event correlation searches as the Entity Lookup Field
Ingest SNMP traps into ITSI | Ingest third-party alerts into ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!