Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

itsi_notable_event_status.conf

The following are the spec and example files for itsi_notable_event_status.conf.

itsi_notable_event_status.conf.spec

# This file contains attributes and values for configuring label descriptions
# and episode status in Episode Review.
#
# There is an itsi_notable_event_status.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/.
# To set custom configurations, place an itsi_notable_event_status.conf in
# $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles

GLOBAL SETTINGS


# Use the [default] stanza to define any global settings.
#  * You can also define global settings outside of any stanza, at the top
#    of the file.
#  * Each .conf file should have at most one default stanza. If there are
#    multiple default stanzas, attributes are combined. In the case of
#    multiple definitions of the same attribute, the last definition in the
#    file wins.
#  * If an attribute is defined at both the global level and in a specific
#    stanza, the value in the specific stanza takes precedence.

[<id>]

label = <string>
* A valid label for the episode status.
* Required.

default = <boolean>
* Indicates the initial status of an episode when it is generated in
  Episode Review.
* Set this value to "1" if this label is the default label.

description = <string>
* A description of the episode label.

end = <boolean>
* Indicates the last status in the Episode Review workflow.
* Set this value to "1" if this label is the end of the
  episode management workflow.
* If a status has an end flag enabled, any episode with that status is automatically
  broken. This means that no more events will flow into that episode. This rule
  applies to status changes in Episode Review as well as through aggregation
  policy action rules.
* CAUTION: If you remove the "end" tag from the "Closed" status, you will no
  longer be able to close episodes through the Episode Review UI. It is
  recommended that you do not remove or change the location of this tag.




itsi_notable_event_status.conf.example

[default]
disabled = 0
label =
description =
default = 0
end = 0

[0]
label = Unknown
description = An error is preventing the issue from having a valid status assignment

## Enable status "new"
## Enable selected (automatically selects status element in applicable UI pulldowns)
[1]
disabled = 0
default = 1
label = New
description = Event has not been reviewed

## Enable status "in progress"
[2]
disabled = 0
label = In Progress
description = Investigation or response is in-process

## Enable status "pending"
[3]
disabled = 0
label = Pending
description = Event closure is pending some action

## Enable status "resolved"
[4]
disabled = 0
label = Resolved
description = The issue has been resolved and awaits verification

## Enable status "closed"
[5]
disabled = 0
label = Closed
description = Issue has been resolved and verified
end = 1
Last modified on 28 April, 2023
PREVIOUS
itsi_notable_event_severity.conf
  NEXT
itsi_service.conf

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.16.0 Cloud only


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters