Splunk® IT Service Intelligence

Event Analytics Manual

Take action on an episode in ITSI

After triaging and investigating an episode in IT Service Intelligence (ITSI), you can take optional steps to address the issue. The following episode actions are available in the Episode Review Actions menu:

  • Share the episode
  • Add a reference link
  • Link a ticket
  • Ping a host
  • Send an email
  • Create a ticket in an external ticketing system
  • Send data using a webhook

Not all actions are available if role-based permissions are set. All episode actions are Splunk platform alert actions that you can manage in the alert actions manager. For more information, see Using the alert actions manager in the Alerting Manual. You can set permissions per user role for each episode action. These permissions also determine which actions are available in a notable event aggregation policy.

Share episode

Generate a URL that links to a filtered view of Episode Review. For example, you might want to link directly to the Events Timeline tab within a specific episode. Generate a custom link to that episode that you can save, send, or bookmark.

  1. Select an episode
  2. (Optional) Select a specific tab within the episode.
  3. Click Actions > Share episode.
  4. Copy the link.

Add a reference link

Reference links are static links to external websites or tickets. The links are visible on the Impact tab of an episode. Reference links don't support bidirectional integrations.

  1. Select an episode.
  2. Click Actions > Add reference link.
  3. Configure the following fields:
    Field Description
    URL Description A description of the link destination. For display purposes only.
    URL The external link for drilldown purposes. The URL must start with with http:// or https://. Otherwise it is interpreted as a relative URI.
  4. Click Done.
  5. Click the Activity tab to confirm that the link was created..
  6. Click the Impact tab to see the link under Reference Links.

Link a ticket

You can link an episode to one or more tickets in your external ticketing system of choice. Your role needs the run_sendalert capability in order to use this action.

For example, you might see an episode related to a disk failure in Episode Review and remember that a ticket has been created for this issue in Remedy or Helix. You can link the Remedy or Helix ticket to the ITSI episode so you can quickly access the ticket in the future to review information on the status and progress of investigation into the episode.

If you link more than one episodes to an external ticket, the ticket link is added to each individual episode.

  1. Select one or more episodes.
  2. Click Actions > Link Ticket.
  3. Configure the following fields:
    Field Description
    Ticket System The name of the external ticketing system. Supports field substitution.
    Ticket ID The ID number of the specific ticket.
    Ticket URL The link to the ticket for drilldown purposes. The URL must start with with http:// or https://. Otherwise it is interpreted as a relative URI.
  4. Click Done.
  5. Click the Activity tab to confirm that the ticket was linked.
  6. Click the Impact tab to see a link to the ticket under All Tickets. The ticket is linked to each notable event in the episode.

Display a ticket column

Add a new column in Episode Review to display linked tickets for episodes

  1. Click the gear icon ITSI gear.png.
  2. Click Add Column and select All Tickets.
  3. Click Done.

Ping a host

Determine whether a host is still active on the network by pinging the host.

  1. Select an episode.
  2. Click Actions > Ping host.
  3. Type the event field that contains the host that you want to ping in the Host field. For example, %server%.
  4. Click Done.

Send an email

Send an email as a result of an episode. ITSI sends one email even though there are multiple events in the episode.

Make sure the mail server is configured in the Splunk platform before performing this action.

  1. Select an episode in Episode Review.
  2. Click Actions > Send email.
  3. In the To field, type a comma-separated list of email addresses to send the email to.
  4. (Optional) Change the priority of the email. Defaults to Lowest.
  5. Type a subject for the email. The subject defaults to Splunk Results. You can include tokens that insert text based on the results of the search using the format $result.<fieldname>$. For example: $result.title$
  6. Type a message to include as the body of the email. You can include tokens that insert text based on the results of the search using the format $result.<fieldname>$. For example: $result.event_id$. Alternatively, select a message template to populate the email body with a preconfigured message.
  7. Select whether to send the email as HTML and plain text, or just plain text.
  8. Click Done.

Create a ticket in ServiceNow

You can create a ticket in your ServiceNow incident tracking system for an episode. After you install and configure the corresponding add-on on your Splunk platform, an option to create a ticket in that system appears in Episode Review Actions menu.

ITSI supports bidirectional integration with ServiceNow if you have the corresponding action rules configured in the aggregation policy. For more information about the integration with ServiceNow, see Integrate ITSI with ServiceNow in the Event Analytics manual.

  1. Select an episode in Episode Review.
  2. Click Actions > Create ServiceNow incident.
  3. Configure all relevant fields. For descriptions and examples of each ServiceNow field, and for instructions on how to pass custom fields, see Use custom alert actions for the Splunk Add-on for ServiceNow in the Splunk Add-on for ServiceNow manual.
    Note: You don't need to provide a correlation ID because ITSI takes care of associating the episode with ServiceNow for you. If you provide an ID, it's ignored.
  4. Click Done. After a few seconds the following message appears: Successfully dispatched actions. View in Activity.
  5. Click View in Activity to see one or more entries related to ServiceNow.
  6. Go to the Impact tab to see the incident number listed under All Tickets. Click this link to open the ticket in ServiceNow. Note that the name that appears in the Opened by field for the ServiceNow incident is the name of the Splunk user that configured the Splunk Add-on for ServiceNow, no matter which ITSI user creates the ticket.

Create ServiceNow incidents in bulk

When you create ServiceNow incidents in bulk, a separate incident is created for each ITSI episode. The link to the incident appears in the All tickets section of the Impact tab.

  1. Press Shift and select the episodes you want to create ServiceNow incidents for. You can create up to 25 incidents at a time.
  2. Click Actions > Create ServiceNow incident.
  3. Configure the fields corresponding to fields in ServiceNow. Do not enter a Correlation ID. ITSI associates the episode with the external ticket for you.
  4. Click Done. Separate ServiceNow incidents are created and linked to each episode.
  5. Go to the Impact tab to see the incident number listed under All Tickets. Click this link to open the ticket in your ticketing system.

Create a ticket in Remedy or Helix

ITSI supports bidirectional integration with BMC Remedy or BMC Helix if you have the corresponding action rules configured in the aggregation policy. For more information about the integration with ServiceNow, see Integrate ITSI with BMC Remedy in the Event Analytics manual.

You can create a ticket in Remedy or Helix incident tracking system for an episode. The Remedy action only appears in the Actions menu if the Splunk Add-on for Remedy is installed on your Splunk platform.

  1. Select an episode.
  2. Select Actions > Create Remedy incident if your Splunk Add-on for Remedy is configured with SOAP. Select Actions > Remedy Incident Integration Using Rest API if your Splunk Add-on for Remedy is configured with REST.
  3. Configure the fields corresponding to fields in Remedy or Helix. Don't enter a correlation ID, ITSI handles associating the episode with the external ticket.
  4. Select Done. After a few seconds, the following message appears: Successfully dispatched actions. View in Activity.
  5. Select View in Activity to see one or more entries related to Remedy.
  6. Go to the Impact tab to see the incident number listed under All Tickets. Select the incident number to open the ticket in your ticketing system.

Create a Jira issue

ITSI supports bidirectional integration with Jira Cloud if you have the corresponding action rules configured in the aggregation policy. For more information about the integration with Jira, see Integrate ITSI with Jira Cloud in the Event Analytics manual.

You can create a ticket in the Jira tracking system for an episode. The Jira action only appears in the Actions menu if the Splunk Add-on for Jira Cloud is installed on your Splunk platform.

  1. Select an episode.
  2. Select Actions > Jira Cloud Issue Integration.
  3. Configure the fields corresponding to fields in Jira. Don't enter a Jira Key field. ITSI takes care of associating the episode with the external ticket for you.
  4. Select Done. After a few seconds, the following message is displayed: Successfully dispatched actions. View in Activity.
  5. Select View in Activity to see one or more entries related to Jira.
  6. Go to the Impact tab to see the Jira issue listed under All Tickets. Click the link to open the ticket in your ticketing system.

Create a ticket in Splunk On-Call (VictorOps)

You can create an incident in the Splunk On-Call incident management system for an episode. The Splunk On-Call action only appears in the Actions menu if the Splunk On-Call (formerly VictorOps) app is installed on your Splunk platform.

  1. Select an episode.
  2. Click Actions > Create Splunk On-Call incident.
  3. Configure the following fields:
    Field Description
    Message Type
    • INFO - creates an alert
    • WARNING - creates an alert
    • CRITICAL - creates an incident
    • ACKNOWLEDGEMENT - acknowledges the incident
    • RECOVERY - resolves the incident
    Monitoring Tool The Splunk On-Call monitoring tool. Set this field to Splunk ITSI so that the incident and alert are branded with the Splunk ITSI logo.
    Alert Entity ID The unique identifier for an incident. It is best practice to use a token to insert the value of a field. For example, you could use ITSI Alert: $result.itsi_group_title$.
    Alert Entity Display Name The title of the incident. If you do not provide a display name, ITSI uses the Entity ID field.
    State Message The status message to send to Splunk On-Call.
    Routing Key Optionally, configure a routing key to override the global Splunk On-Call routing key.
  4. Click Done. After a few seconds the following message appears: Successfully dispatched actions. View in Activity.
  5. Click View in Activity to see one or more entries related to Splunk On-Call.

Send an episode to Splunk SOAR

Splunk SOAR is an orchestration, automation, and response platform designed to help scale your IT and security operations. Splunk SOAR lets you automate tasks, orchestrate workflows, and support a broad range of NOC and SOC functions. The Splunk SOAR action only appears in the Actions menu if the Splunk App for SOAR Export is installed on your Splunk platform.

When you send an ITSI episode to Splunk SOAR, the episode itself is mapped to an event in Splunk SOAR and the notable events within the episode are mapped as artifacts of the event. The ITSI episode ID is mapped to the source ID of the Splunk SOAR event.

  1. Select an episode.
  2. Click Actions > Send to Splunk SOAR.
  3. Configure the following fields:
    Field Description
    Splunk SOAR Server The Splunk SOAR server to which to send the episode. Create and configure a Splunk SOAR server in the Splunk App for SOAR Export.
    Splunk SOAR Label Splunk SOAR determines which playbooks to run for an ingested event based on the label associated with the event. Specify a label here to determine which playbooks to run. Splunk SOAR also lets you associate one or more labels to a playbook. Refer to the Splunk SOAR documentation for information about configuring playbook labels.
      • If you re-run this action on the same episode and provide the same label, no action is taken.
      • If you re-run this action on the same episode and provide a different label, the action creates a separate event in Splunk SOAR and runs the playbooks associated with the new label. You can access both events in Splunk SOAR and review corresponding automation artifacts.
  4. Click Done. After a few seconds the following message appears: Successfully dispatched actions. View in Activity.
  5. Click View in Activity to see one or more entries related to Splunk SOAR.

Create a ticket in an external ticketing system

You can create a ticket in any external ticketing system from an ITSI episode.

  1. Create a custom alert action in the Splunk platform. See Custom alert actions overview in Developing Views and Apps for Splunk Web.
  2. Consume the Notable Event Action SDK to update external ticket information for a given episode using the Episode ID. See Notable event actions SDK reference.
  3. Add a stanza for the custom alert action in $SPLUNK_HOME/etc/apps/SA-ITOA/local/notable_event_actions.conf.

If you have a custom alert action that exposes APIs along the lines of those exposed by the Splunk Add-on for ServiceNow or Splunk Add-on for Remedy, use the stanzas for [snow_incident] and [remedy_incident] in default/notable_event_actions.conf as examples.

Refer to the notable_event_actions.conf spec and example files located in $SPLUNK_HOME/etc/apps/SA-ITOA/README for more information.

Send an event to a webhook

You can send an episode data to a pre-configured webhook. Episode data will only be sent if the webhook has been configured. For more information, see Integrate ITSI with a webhook.

  1. From the Alerts and Episodes page, select an episode.
  2. Select Actions then Webhook.
  3. Select Configure and provide a name for the webhook, and validate the webhook URL.
  4. Select Done.
  5. Select View in Activity to see one or more entries related to the webhook.

Note: To trigger this action, you must have a role with the list_storage_passwords capability.

Create an incident in PagerDuty

You can create a PagerDuty incident for an episode.

  1. Select an episode.
  2. Select Actions then Send to PagerDuty.
  3. Configure the following fields:
    Field Description
    PagerDuty Account The account name you configured in PagerDuty. To configure an account, see Integrate ITSI with PagerDuty.
    PagerDuty Event Action *Trigger: creates an incident.
    • Acknowledge: acknowledges an existing linked incident.
    • Resolve: resolves n existing linked incident.
    Source The source of the PagerDuty alert, for example, $result.source$
    Summary The summary of the incident. For example, $result.itsi_group_title$
    Severity The incident severity.
    Timestamp The timestamp of the event must be in UNIX epoch time, which will later be converted to ISO format by the alert action.


    If left blank, will use the time that an action was executed.

    Incident Key Same as the Episode ID. You can't edit this field.
    Link Text The link text URL displayed on the PagerDuty incident. Cannot be left blank with the Link Href.
    Link Href The link text URL displayed on the PagerDuty incident. Cannot be blank with the Link Text.
    Class The class or type of incident. For example, cpu load.
    Group Logical service component grouping. For example, app-stack.
    Component Component of the source service responsible for the incident. For example, mysql or eth0.
  4. Select Done. Select View in Activity to view more information and PagerDuty incidents.

Note: An incident will only be created if you set the PagerDuty event action to Trigger. You won't be able to acknowledge or resolve an incident when you manually run this action. If an incident is already linked to an episode, you can't run the action again.

Last modified on 29 May, 2024
Investigate episodes in ITSI   Customize Episode Review in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.19.0, 4.19.1, 4.19.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters