This documentation does not apply to the most recent version of Splunk® IT Service Intelligence.
For documentation on the most recent version, go to the latest release.
notable_event_correlation.conf
The following are the spec and example files for notable_event_correlation.conf.
notable_event_correlation.conf.spec
# This file contains attributes and values that ITSI Smart Mode uses to correlate # notable events. # # There is a notable_event_correlation.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/. # To set custom configurations, place a notable_event_correlation.conf in # $SPLUNK_HOME/etc/apps/SA-ITOA/local. You must restart Splunk software to enable # configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles
GLOBAL SETTINGS
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top # of the file. # * Each .conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in the # file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence.
[<smart_mode_correlation_engine>]
* The settings under this stanza determine how ITSI Smart Mode analyzes notable event fields to determine whether they contain textual or categorical content. * Smart Mode uses machine learning to compare event field values and group events that are related to each other. * CAUTION: This configuration file does not support adding any additional stanzas. Do not add, remove, or change any of the settings or stanzas in this file unless specifically instructed to by a Splunk support specialist.
BLACKLIST FIELDS
black_list_fields = <comma-separated list> * A list of field names in a notable event whose values to discard from consideration for Smart Mode event correlation.
TEXTUAL FIELDS
text_field_names = <comma-separated list> * A list of field names in a notable event that usually represent textual content. * A text field is a data structure that holds alphanumeric data, such as name and address. * Defaults: comment,description,summoary,review,message ignore_fields_that_contain = <comma-separated list> * A list of field names to implicitly ignore because they are not useful for event correlation. * ITSI ignores field names that contain any of the words in this list. * For example, with the default "time", ITSI ignores fields that represent time, like alert_triggertime, alerttriggertime, lasttimeup, etc. * Default: time threshold_event_coverage_perc = <int> * A threshold value for considering a notable event field as a text field. * If the count (total number of occurrences) of a field divided by the total number of events processed in the time frame is less than the percentage specified in 'threshold_event_coverage_perc', then the notable event field is a text field. * Default: 10
CATEGORICAL FIELDS
threshold_distinct_value_perc = <int>
* A threshold value for considering a notable event field
as a categorical field.
* If the distinct_count (count of distinct values) of a field
divided by the count (total number of occurrences) of the field is
less than the percentage specified, then the notable event field
is a categorical field.
* Categorical fields have a distinct value, such as a status field,
as opposed to textual data, descriptions, numerical values, and comments.
* If this setting determines that a field is NOT a categorical field, ITSI uses
the two settings below ('min_distinct_value_perc' and 'max_count_perc')
in a second calculation to check whether the field is a categorical field.
* Default: 35
min_distinct_value_perc = <int>
* Helps confirm whether a notable event field is a categorical field.
* Sets the minimum distinctive value percentage that a notable event field must
be to be considered a categorical field.
* If the cumulative sum of 'min_distinct_value_perc' of distinct_count (count
of unique values) of a field is at least 'max_count_perc' of the count
(total number of occurrences) of the field, then the notable event field is
considered a categorical field.
* For example, consider the following field:value pairs:
{field:value1 count:34},{field:value2 count:31}, {field:value3 count:5},
{field:value4 count:5} , ..., {field:value18 count:1} {field:value19 count:1},
{field:value20 count:1}
There are 20 different values listed for this field, so distinct_count = 20.
ITSI sums the counts of all the values, so count = 80.
80% of count = 64
10% of distinct_count = 2, so you add the counts of the first two values above (34 + 31).
{field:value1 count:34} + {field:value2 count:31} = 34 + 31 = 65 > 64
Because 65 is at least 64, "field" is a categorical field.
* Default: 10
max_count_perc = <int>
* Helps confirm whether a notable event field is a categorical field.
* Sets the maximum count percentage that a notable event field must
be to be considered a categorical field.
* If the cumulative sum of 'min_distinct_value_perc' of distinct_count (count
of unique values) of a field is at least 'max_count_perc' of the count
(total number of occurrences) of the field, then the notable event field is
considered a categorical field.
* See the example for the 'min_distinct_value_perc' setting to understand
how this setting works.
* Default: 80
notable_event_correlation.conf.example
No example
Last modified on 28 April, 2023
| notable_event_commonality.conf | props.conf |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.16.0 Cloud only
Download manual
Feedback submitted, thanks!