Splunk® IT Service Intelligence

Event Analytics Manual

Group similar events with Smart Mode in ITSI

Smart Mode in IT Service Intelligence (ITSI) uses machine learning algorithms to group notable events into episodes based on their similarities. Smart Mode compares event field values and groups events that are related to each other. It reduces noise and detects patterns in your events so you don't have to. You can enable Smart Mode within any aggregation policy. For more information about aggregation policies, see Overview of aggregation policies in ITSI.

Don't enable Smart Mode on more than five aggregation policies in a minimum environment (12 CPUs, 12 GB of RAM on the search head), or more than 20 aggregation policies in a performance environment (48 CPUs, 65 GB of RAM on the search head).

Prerequisites

  • You must create and save an aggregation policy before you can enable Smart Mode for it. For instructions, see Overview of aggregation policies in ITSI.
  • You must have the write_itsi_notable_aggregation_policy capability to enable Smart Mode. The itoa_admin and itoa_team_admin roles have this capability by default.

Steps

  1. From the ITSI main menu, click Configuration > Notable Event Aggregation Policies.
  2. Select a custom policy or the Default Policy.
  3. Under Smart Mode grouping, enable Smart Mode.
  4. Click Select fields. A dialog displays the fields found in your notable events from the last 24 hours.
  5. (Optional) Change the time period for the field analysis and click Re-run Analysis.
  6. Choose the fields to compare for event similarity. Recommended fields are selected by default. Do not select more than 15 fields, as this might impact performance.
    Column Description
    Type Category or Text based on the content of the field. Category fields have a distinct value, such as a status field. Text fields consist of a string, such as a description field.
    # of Values The number of values for each field.
    Event Coverage The percentage of events that contain the field. In general, choose fields with high event coverage.
  7. Click Apply.
    An episode preview uses the last 24 hours of data to illustrate event grouping with Smart Mode enabled. Expand an episode to see the individual notable events.
  8. (Optional) Configure the following Smart Mode settings:

    Setting Description
    Text Similarity The importance of text similarity versus category similarity. The episodes in the preview update to reflect the importance factors you set. Setting both to 0, half, or 1 gives the factors equal weight.
    Category Similarity The importance of category similarity. The episodes in the preview update to reflect the importance factors you set. Setting both to 0, half, or 1 gives the factors equal weight.
    Split by Service Provides service context for your events. For example, if two events have similar fields but affect different services, they probably shouldn't be grouped together. If enabled, events are grouped by service first, then by text and category similarity.
    Split by Entity Provides entity context for your events. If enabled, ITSI segregates events based on the entity they belong to before applying grouping. Then it groups by text and category similarity. For example, if there are web status errors and disk errors on the same host that occurred in the same time period, those events are now in the same episode.

    If you split by service AND entity, Smart Mode splits by service first (if the event has service association) and does not split further. If the event has no service association, it splits by entity.

  9. Click Save.

After you save your aggregation policy, events are grouped in Episode Review according to the policy you configured. Custom aggregation policies take precedence over the Default Policy, so if an event meets the criteria of a custom policy, it is grouped according to that policy's rules.

Last modified on 28 April, 2023
Dispatch episode actions to a remote ITSI instance   Scenario: Kai groups related alerts with ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters