Splunk® IT Service Intelligence

Event Analytics Manual

Customize episode severities in ITSI

An episode's severity in IT Service Intelligence (ITSI) is determined by the severities of the individual notable events within the episode. If you configure additional severities in the itsi_notable_event_severity.conf configuration file, those severities also apply to the available severities in correlation searches and aggregation policies.

The following default severities are available for episodes:

Severity level Color
Critical Criticle.png
High High.png
Medium Medium.png
Low Yellow.png
Normal Green.png
Info Info.png

Edit episode severities

An episode's severity is determined by the severities of the individual notable events within the episode. You can customize episode and event severities to match an existing workflow in your organization. In the configuration file below that governs episode severities, "color" is the default color displayed in Episode Review, while "light color" applies to prominent mode.


Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.


  1. Open or create a local itsi_notable_event_severity.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local.
  2. Add, modify, or remove severities as necessary depending on the existing workflow in your organization.
    color = #AED3E5
    lightcolor = #E3F0F6
    label = Info
    default = 1
    color = #99D18B
    lightcolor = #DCEFD7
    label = Normal
    color = #FFE98C
    lightcolor = #FFF4C5
    label = Low
    color =  #FCB64E
    lightcolor = #FEE6C1
    label = Medium
    color = #F26A35
    lightcolor = #FBCBB9
    label = High
    color = #B50101
    lightcolor = #E5A6A6
    label = Critical
Last modified on 28 April, 2023
Customize episode statuses in ITSI   Download episodes in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters