Splunk® IT Service Intelligence

Event Analytics Manual

Overview of notable events in ITSI

A notable event is the foundational unit of the IT Service Intelligence (ITSI) Event Analytics functionality. A notable event is a stored alert with a unique ID, time, status, severity, and owner. Notable events are typically generated by a correlation search, but they can also be directly fed into the system by anomaly detection or other REST sources.

Notable events are fed into the Event Analytics Rules Engine to create episodes and trigger episode actions. For more information about how the Rules Engine functions, see About the ITSI Rules Engine.

Splunk IT Service Intelligence (ITSI) implements custom indexes for notable event storage. In a single instance deployment, the installation of ITSI creates the indexes in $SPLUNK_HOME/var/lib/splunk.

The following table lists the indexes used to store notable event and episode metadata:

Index Description
itsi_tracked_alerts Stores active raw notable event data.
itsi_notable_audit Stores all audit events for episodes, including actions, comments, status change, and owner change.
itsi_grouped_alerts Stores active episode data.
itsi_notable_archive Stores episode tags that have been moved from the KV store after a default 6 month retention period, which begins when you close an episode in the UI. Moving data from the KV store removes extraneous data and helps improve performance.

ITSI uses an indexed real-time search to retrieve notable events from the Splunk platform. Indexed real-time searches have a delay of about 90 seconds before events get processed. Using concurrent real-time search instead of indexed real-time search is not supported for the itsi_event_grouping search because it significantly impacts system performance.

Last modified on 16 May, 2024
Ingest third-party alerts into ITSI with correlation searches   Modify notable event KV store collections in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters