Splunk® IT Service Intelligence

Event Analytics Manual

This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

Triage episodes in ITSI

Use Episode Review as part of your episode triage workflow. You can monitor episodes and the actions that analysts take to resolve the issues that triggered an episode.

ITSI groups notable events into episodes according to the rules defined in the default aggregation policy or a custom policy you created. See Overview of aggregation policies in ITSI for more information.

If service level permissions are enabled for Episode Review, you only see episodes that contain at least one event associated with a service for which you have read permission or at least one event that is not associated with any services. For more information, see Overview of teams in ITSI.

Acknowledge episodes

When you identify an episode that requires investigation, the first step is to acknowledge the episode. Acknowledging a episode changes its status from New to In Progress and assigns the owner to the current ITSI user.

You can acknowledge an episode with a status of New. If an episode with a status of New is already assigned to an owner, acknowledging the episode changes the owner to the current ITSI user. You can acknowledge multiple episodes as long as at least one of the episodes has a status of New. Only the new episodes are updated to In Progress and assigned to the current user.

  1. Select an episode with a status of New.
  2. ClickAck.pngto assign the episode to the currently logged in ITSI user.

Accelerate triage with filters and sorting

Speed up your episode triage with search filters and sorting. For example, focus on specific episodes with the search filters and time range selector. Episodes contain Severity, Status, and Owner fields to help you categorize, track, and assign them.

Use the Add filter option to filter episodes by one or more attributes, such as owner, severity, or specific event fields within the episode. Only episodes containing the selected values are shown. You can use the wildcard (*) character to support partial matching of attributes and values. Attributes and values are case insensitive. The suggested values are fetched based on the time range applied to Episode Review. The number of values displayed in the menu is capped, so there may be cases where a notable exists, but isn't listed as a suggested value.

You can filter for episodes created by the same aggregation policy by using the Policy filter. As you type, the aggregation policy names appear for you to select. You can add more than one filter. For example, you could also add a filter for Owner, Unassigned to see only new episodes that are unassigned.

Click the Sorted by dropdown to select an attribute by which to sort episodes. For example, if you select Severity, the episodes are listed in order of highest to lowest severity level, and sorted secondarily by time. Click Add sub-sort to sort against additional episode attributes. The sort operates hierarchically from left to right, meaning episodes are sorted by the first attribute, then those with an identical first attribute are sorted by the second attribute, and so on. You can sort by a maximum of three attributes. Use the arrow ( Arrow.png ) to switch between ascending and descending order.

Use the search box to search for specific text in an episode. The search field is case insensitive. You can use an asterisk as a wildcard character, as well as the AND, OR, and NOT clauses. You can also search using field-value pairs to search for specific fields in an episode, for example, host=127*. Use brackets to group expressions, such as foo<1 OR (foo=3 OR (host!=127* AND foo>5)). For more information about boolean operators, see Searching with boolean operators in the Splunk Cloud Services Manual.

If you need to search using a double quote (") or a backslash (/), you need to escape the character in the search string. Avoid adding unnecessary double quotes when searching for field-value pairs. To search for a specific phrase, don't enclose the search in double quotes. For more information, see Characters and escape sequences that must be escaped.

To show which episodes are open and still receiving events, as well as which episodes are closed and no longer receiving events, click the gear icon ITSI gear.png and select + Add Column > Active Episode.

Save a custom view of Episode Review

To save a filtered view of Episode Review, click Save as... and give the view a meaningful name. To access the saved view in the future, click the tab in the top left to pull out the Saved Views panel.
PullOutPane.png

To automatically refresh the dashboard at specific intervals, click the gear icon ITSI gear.png and specify the auto refresh period.

Assign episodes

Episodes are unassigned by default. You can assign one episode at a time, or several at once.

Prerequisite
You must have the itoa_admin, itoa_team_admin, or itoa_analyst role to assign episodes to a user.

Steps

  1. Select one or more new episodes.
  2. Click the Unassigned dropdown.
  3. Select an owner to assign the episode to.

If you use SAML authentication, it can take up to 10 minutes to update the list of users that you can assign episodes to.

Update the status of an episode

New episodes have the New status. As analysts triage and move an episode through the episode review workflow, the owner can update the status of the episode to reflect the actions they take to address it.

  1. Select one or more episodes.
  2. Click the status in the toolbar (for example, New). If the selected episodes have different statuses, Original Statuses is displayed.
  3. Change the status. The updated status is reflected in the episode.

If your changes are not immediately visible, check the dashboard filters. For example, if the filter is set to "New" after you changed an episode to "In Progress", your updated episode will not display.

You can choose from the following episode statuses.

Status Description
Unknown Used by ITSI when an error prevents the episode from having a valid status assignment.
New Default status. The episode has not been reviewed.
In Progress An owner is investigating the episode.
Pending An action must occur before the episode can be closed.
Resolved The owner has addressed the cause of the episode and is waiting for verification.
Closed The resolution of the episode has been verified.

When you update an episode, the change is reflected in the episode but not in the individual events in the episode. For example, if you change the status to "In Progress" for an episode, the status of the episode changes to In Progress, but the individual notable events in the episode retain their own statuses.

Last modified on 13 March, 2023
Overview of Episode Review in ITSI   Investigate episodes in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.15.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters