Splunk® IT Service Intelligence

Event Analytics Manual

Scenario: Kai groups related alerts with ITSI

Buttercup Bank, a fictitious company created for illustrative purposes in this scenario, has a database that acts as the main data source for their mobile banking application. Lauren, an IT administrator at Buttercup Bank, uses Splunk IT Service Intelligence (ITSI) with Splunk App for Content Packs and the Content Pack for Monitoring and Alerting to monitor the service health and key performance indicators (KPI) of their mobile banking application.

Group related alerts to reduce alert noise

To group related alerts generated by ITSI, Lauren does the following:

  1. Opens ITSI.
  2. Uses the entity discovery search function to verify that every active aggregation policy has a corresponding entity.
  3. Verifies that each of the following services are enabled:
    1. ITSI Event Analytics
    2. ITSI Alert Analytics
    3. ITSI Episode Analytics
  4. Selects Service Analyzer from the navigation bar.
  5. Applies filters for services, KPIs, and tags by selecting values for each of those fields.
  6. Selects Configuration > Notable Event Aggregation Policies from the navigation bar.
  7. Enables the following aggregation policies by toggling their switches in the Status column:
    1. Entity Type Alerts
    2. KPI Alerting Policy
    3. Normalized Policy

    Setting ITSI event aggregation policy

  8. Selects the aggregation policy in the Title column to configure episode information for that policy.
  9. Validates the output from the previous steps in this task by selecting Alerts and Episodes from the navigation bar. Lauren knows that notable events are stored in the itsi_tracked_alerts index. Alerts and Episodes now shows notable events grouped into deduplicated episodes in the ITSI Episode Review dashboard:
  10. ITSI Episode Review dashboard

Gain a holistic understanding of issues in the ITSI environment

Lauren can use aggregation policies in ITSI to group alerts logically for faster tracking and troubleshooting while viewing details in the Service Analyzer and Alerts and Episodes Review dashboards that are part of ITSI.

Lauren also knows that when Splunk Observability Cloud alerts are integrated with ITSI, a holistic understanding of Observability events, which are not the same as notable events tracked by ITSI, can help with problem diagnosis and troubleshooting.

Observability events provide context for point-in-time occurrences and display as overlays atop familiar dashboards, complete with event markers that show the start and end times of a given event.

Example of Observability events display

To access event data by creating an alert sent directly from ITSI to Splunk Observability Cloud and leverage the capability of event analytics in ITSI, Lauren does the following:

  1. Installs Splunk Observability Cloud Alert Action for Splunk.
  2. Pastes the Observability API token into the Configuration field of that app.
  3. Runs a correlation search.
  4. Creates an alert based on search results.
  5. Chooses fields such as app_name, eventtype, and detectorID from the search results to add as dimensions included with events.
  6. Adds the alert action for the app to take, such as specifying that email alias lauren@buttercupbank be designated as an alert recipient.


In this scenario, Lauren reduced alert noise by using aggregation policies to group related alerts in ITSI, and integrated ITSI with Splunk Observability Cloud so as to have similar visibility into Observability events. As a result, Lauren can more efficiently monitor system health and key performance indicators for Buttercup Bank, reducing mean time to problem detection and mean time to problem resolution.

Learn more

Subject Resource
Aggregation policies and how they work
Splunk Observability Cloud Alert Action for Splunk
Different event types
Last modified on 13 June, 2023
Group similar events with Smart Mode in ITSI   Overview of Episode Review in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters