Splunk® IT Service Intelligence

Event Analytics Manual

This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

Take action on an episode in ITSI

After triaging and investigating an episode in IT Service Intelligence (ITSI), you can take optional steps to address the issue. The following episode actions are available in the Episode Review Actions menu:

  • Share the episode
  • Add a reference link
  • Link a ticket
  • Ping a host
  • Send an email
  • Create a ticket in an external ticketing system

Not all actions are available if role-based permissions are set. All episode actions are Splunk platform alert actions that you can manage in the alert actions manager. For more information, see Using the alert actions manager in the Alerting Manual. You can set permissions per user role for each episode action. These permissions also determine which actions are available in a notable event aggregation policy.

Share episode

Generate a URL that links to a filtered view of Episode Review. For example, you might want to link directly to the Events Timeline tab within a specific episode. Generate a custom link to that episode that you can save, send, or bookmark.

  1. Select an episode
  2. (Optional) Select a specific tab within the episode.
  3. Click Actions > Share episode.
  4. Copy the link.

Add a reference link

Reference links are static links to external websites or tickets. The links are visible on the Impact tab of an episode. Reference links don't support bidirectional integrations.

  1. Select an episode.
  2. Click Actions > Add reference link.
  3. Configure the following fields:
    Field Description
    URL Description A description of the link destination. For display purposes only.
    URL The external link for drilldown purposes. The URL must start with with http:// or https://. Otherwise it is interpreted as a relative URI.
  4. Click Done.
  5. Click the Activity tab to confirm that the link was created..
  6. Click the Impact tab to see the link under Reference Links.

Link a ticket

You can link an episode to one or more tickets in your external ticketing system of choice. Your role needs the run_sendalert capability in order to use this action.

For example, you might see an episode related to a disk failure in Episode Review and remember that a ticket has been created for this issue in Remedy or Helix. You can link the Remedy or Helix ticket to the ITSI episode so you can quickly access the ticket in the future to review information on the status and progress of investigation into the episode.

If you link more than one episodes to an external ticket, the ticket link is added to each individual episode.

  1. Select one or more episodes.
  2. Click Actions > Link Ticket.
  3. Configure the following fields:
    Field Description
    Ticket System The name of the external ticketing system. Supports field substitution.
    Ticket ID The ID number of the specific ticket.
    Ticket URL The link to the ticket for drilldown purposes. The URL must start with with http:// or https://. Otherwise it is interpreted as a relative URI.
  4. Click Done.
  5. Click the Activity tab to confirm that the ticket was linked.
  6. Click the Impact tab to see a link to the ticket under All Tickets. The ticket is linked to each notable event in the episode.

Display a ticket column

Add a new column in Episode Review to display linked tickets for episodes

  1. Click the gear icon ITSI gear.png.
  2. Click Add Column and select All Tickets.
  3. Click Done.

Ping a host

Determine whether a host is still active on the network by pinging the host.

  1. Select an episode.
  2. Click Actions > Ping host.
  3. Type the event field that contains the host that you want to ping in the Host field. For example, %server%.
  4. Click Done.

Send an email

Send an email as a result of an episode. ITSI sends one email even though there are multiple events in the episode.

Make sure the mail server is configured in the Splunk platform before performing this action.

  1. Select an episode in Episode Review.
  2. Click Actions > Send email.
  3. In the To field, type a comma-separated list of email addresses to send the email to.
  4. (Optional) Change the priority of the email. Defaults to Lowest.
  5. Type a subject for the email. The subject defaults to Splunk Results. You can include tokens that insert text based on the results of the search using the format $result.<fieldname>$. For example: $result.title$
  6. Type a message to include as the body of the email. You can include tokens that insert text based on the results of the search using the format $result.<fieldname>$. For example: $result.event_id$. Alternatively, select a message template to populate the email body with a preconfigured message.
  7. Select whether to send the email as HTML and plain text, or just plain text.
  8. Click Done.

Create a ticket in ServiceNow

You can create a ticket in your ServiceNow incident tracking system for an episode. After you install and configure the corresponding add-on on your Splunk platform, an option to create a ticket in that system appears in Episode Review Actions menu.

ITSI supports bidirectional integration with ServiceNow if you have the corresponding action rules configured in the aggregation policy. For more information about the integration with ServiceNow, see Integrate ITSI with ServiceNow in the Event Analytics manual.

  1. Select an episode in Episode Review.
  2. Click Actions > Create ServiceNow incident.
  3. Configure all relevant fields. For descriptions and examples of each ServiceNow field, and for instructions on how to pass custom fields, see Use custom alert actions for the Splunk Add-on for ServiceNow in the Splunk Add-on for ServiceNow manual.
    Note: You don't need to provide a correlation ID because ITSI takes care of associating the episode with ServiceNow for you. If you provide an ID, it's ignored.
  4. Click Done. After a few seconds the following message appears: Successfully dispatched actions. View in Activity.
  5. Click View in Activity to see one or more entries related to ServiceNow.
  6. Go to the Impact tab to see the incident number listed under All Tickets. Click this link to open the ticket in ServiceNow. Note that the name that appears in the Opened by field for the ServiceNow incident is the name of the Splunk user that configured the Splunk Add-on for ServiceNow, no matter which ITSI user creates the ticket.

Create ServiceNow incidents in bulk

When you create ServiceNow incidents in bulk, a separate incident is created for each ITSI episode. The link to the incident appears in the All tickets section of the Impact tab.

  1. Press Shift and select the episodes you want to create ServiceNow incidents for. You can create up to 25 incidents at a time.
  2. Click Actions > Create ServiceNow incident.
  3. Configure the fields corresponding to fields in ServiceNow. Do not enter a Correlation ID. ITSI associates the episode with the external ticket for you.
  4. Click Done. Separate ServiceNow incidents are created and linked to each episode.
  5. Go to the Impact tab to see the incident number listed under All Tickets. Click this link to open the ticket in your ticketing system.

Create a ticket in Remedy or Helix

ITSI supports bidirectional integration with BMC Remedy or BMC Helix if you have the corresponding action rules configured in the aggregation policy. For more information about the integration with ServiceNow, see Integrate ITSI with BMC Remedy in the Event Analytics manual.

You can create a ticket in Remedy or Helix incident tracking system for an episode. The Remedy action only appears in the Actions menu if the Splunk Add-on for Remedy is installed on your Splunk platform.

  1. Select an episode.
  2. Select Actions > Create Remedy incident if your Splunk Add-on for Remedy is configured with SOAP. Select Actions > Remedy Incident Integration Using Rest API if your Splunk Add-on for Remedy is configured with REST.
  3. Configure the fields corresponding to fields in Remedy or Helix. Don't enter a correlation ID, ITSI handles associating the episode with the external ticket.
  4. Select Done. After a few seconds, the following message appears: Successfully dispatched actions. View in Activity.
  5. Select View in Activity to see one or more entries related to Remedy.
  6. Go to the Impact tab to see the incident number listed under All Tickets. Select the incident number to open the ticket in your ticketing system.

Create a ticket in Splunk On-Call (VictorOps)

You can create an incident in the Splunk On-Call incident management system for an episode. The Splunk On-Call action only appears in the Actions menu if the Splunk On-Call (VictorOps) app is installed on your Splunk platform.

  1. Select an episode.
  2. Click Actions > Create Splunk On-Call incident.
  3. Configure the following fields:
    Field Description
    Message Type
    • INFO - creates an alert
    • WARNING - creates an alert
    • CRITICAL - creates an incident
    • ACKNOWLEDGEMENT - acknowledges the incident
    • RECOVERY - resolves the incident
    Monitoring Tool The Splunk On-Call monitoring tool. Set this field to Splunk ITSI so that the incident and alert are branded with the Splunk ITSI logo.
    Alert Entity ID The unique identifier for an incident. It is best practice to use a token to insert the value of a field. For example, you could use ITSI Alert: $result.itsi_group_title$.
    Alert Entity Display Name The title of the incident. If you do not provide a display name, ITSI uses the Entity ID field.
    State Message The status message to send to Splunk On-Call.
    Routing Key Optionally, configure a routing key to override the global Splunk On-Call routing key.
  4. Click Done. After a few seconds the following message appears: Successfully dispatched actions. View in Activity.
  5. Click View in Activity to see one or more entries related to Splunk On-Call.

Send an episode to Phantom

Phantom is an orchestration, automation, and response platform designed to help scale your IT and security operations. Phantom lets you automate tasks, orchestrate workflows, and support a broad range of NOC and SOC functions. The Phantom action only appears in the Actions menu if the Phantom App for Splunk is installed on your Splunk platform.

When you send an ITSI episode to Phantom, the episode itself is mapped to an event in Phantom and the notable events within the episode are mapped as artifacts of the event. The ITSI episode ID is mapped to the source ID of the Phantom event.

  1. Select an episode.
  2. Click Actions > Send to Phantom.
  3. Configure the following fields:
    Field Description
    Phantom Server The Phantom server to which to send the episode. Create and configure a Phantom server in the Phantom App for Splunk.
    Phantom Label Phantom determines which playbooks to run for an ingested event based on the label associated with the event. Specify a label here to determine which playbooks to run. Phantom also lets you associate one or more labels to a playbook. Refer to the Phantom documentation for information about configuring playbook labels.
      • If you re-run this action on the same episode and provide the same label, no action is taken.
      • If you re-run this action on the same episode and provide a different label, the action creates a separate event in Phantom and runs the playbooks associated with the new label. You can access both events in Phantom and review corresponding automation artifacts.
  4. Click Done. After a few seconds the following message appears: Successfully dispatched actions. View in Activity.
  5. Click View in Activity to see one or more entries related to Phantom.

Create a ticket in an external ticketing system

You can create a ticket in any external ticketing system from an ITSI episode.

  1. Create a custom alert action in the Splunk platform. See Custom alert actions overview in Developing Views and Apps for Splunk Web.
  2. Consume the Notable Event Action SDK to update external ticket information for a given episode using the Episode ID. See Notable event actions SDK reference.
  3. Add a stanza for the custom alert action in $SPLUNK_HOME/etc/apps/SA-ITOA/local/notable_event_actions.conf.

If you have a custom alert action that exposes APIs along the lines of those exposed by the Splunk Add-on for ServiceNow or Splunk Add-on for Remedy, use the stanzas for [snow_incident] and [remedy_incident] in default/notable_event_actions.conf as examples.

Refer to the notable_event_actions.conf spec and example files located in $SPLUNK_HOME/etc/apps/SA-ITOA/README for more information.

Last modified on 19 July, 2023
Investigate episodes in ITSI   Customize Episode Review in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters