Normalize alerts with correlation search templates in ITSI
IT Service Intelligence (ITSI) ships with several predefined correlation search templates to help you normalize alerts from common third-party systems. Leverage these searches when creating a correlation search to bring third-party alerts into ITSI and normalize them as notable events. For more information about correlation searches, see Overview of correlation searches in ITSI.
Prerequisites
Requirement | Description |
---|---|
ITSI role | You must have the write_itsi_correlation_search capability to create a correlation search. The itoa_admin and itoa_team_admin ITSI roles have this capabilities by default. |
Ingest third-party data | You must be ingesting data from the corresponding third-party alerting system into Splunk Enterprise in order to normalize it in ITSI. Optionally, you can install the related Splunk add-on for that system. The table below lists the add-ons related to each search, if available. |
Access correlation search templates
All third-party search templates are available within the correlation search creation workflow. To leverage a template, perform the following steps:
- From the ITSI main menu, click Configuration > Correlation Searches.
- Click Create New Search > Create Correlation Search.
- Provide a name and description for the search.
- For Search Type, choose Predefined.
- Click Select a Search and choose from one of the predefined search templates described below.
- Click Select an index and choose an index to use for the search.
- Configure the rest of the correlation search to normalize the third-party alert fields. For instructions, see Ingest third-party alerts into ITSI.
Available correlation search templates
Choose from the following correlation search templates to bring third-party alerts into ITSI:
Search name | Search | Description |
---|---|---|
BMC TrueSight Events |
|
BMC Truesight (patrol, msend) stateful events. Deduplicated by alias_host , alias_parameter , Msg .
|
MuleSoft Events |
|
MuleSoft stateful related events, filtering out severity=INFO, deduplicated by source .
|
Nagios Events |
|
Nagios stateful performance events. Filtering by sourcetype=nagiosserviceperf, deduplicated by consecutive , src_host , severity , name .Add-on: Splunk Add-on for Nagios Core |
Netcool Events |
|
Netcool stateful performance events. Deduplicated by consecutive , itsi_host , itsi_alertID , itsi_alertKey .
|
NewRelic Events |
|
New Relic stateful events. Filtering by sourcetype=newrelic*, deduplicated by transaction_name , health_status .Add-on: Splunk Add-on for New Relic |
ScienceLogic em7 |
|
ScienceLogic em7 stateful events. Deduplicated by em7_var_evententityname , em7_var_alertid (used by notable event identifier fields).
|
SolarWinds Events |
|
SolarWinds stateful events, not performance metrics. Deduplicated by NodeName , eventtype , StatusDescription .Add-on: SolarWinds Add-on for Splunk |
Unix or Linux Events |
|
Unix and Linux-based stateful events using the field Status as severity. If clearing events (Up) are being ingested, remove the filter for status=Stopped (clearing events can be used to automatically clear notable events). Deduplicated by host , status , and Description .Add-on: Splunk Add-on for Unix and Linux |
WinEvent:System or WinEvent:Application |
|
Windows-based stateful events from winevents:system and winevents:application. Filtering out informational events and deduplicated on Message , host , and orig_event_id . |
AppDynamics
Search name | Search | Description |
---|---|---|
Events |
|
AppDynamics stateful events based on the ingest events from AppDynamics, using spath to expand the key-value pairs into single fields. Deduplicated by itsi_triggeredEntity , itsi_application , and itsi_subType .Add-on: Splunk Add-on for AppDynamics |
Health Rule Violations |
|
AppDynamics health rule stateful violations based on the ingest of health rule events from AppDynamics, using spath to expand the key-value pairs into single fields. Deduplicated on healthrule_violations{}.affectedEntityDefinition.entityId and healthrule_violations{}.deepLinkUrl .Add-on: Splunk Add-on for AppDynamics |
Ingest third-party alerts into ITSI | Ingest SNMP traps into ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!