About the default aggregation policy in ITSI
The ITSI default aggregation policy groups notable events that do not match the filtering criteria of any other aggregation policies. If you do not want to create your own aggregation policies, you can use the default policy to group events. If any aggregation policies have been created and are enabled, the default policy will capture only events that do not match the criteria of one of these policies.
Only a user assigned the itoa_admin role, or a role that inherits from itoa_admin, can modify the default aggregation policy.
The default aggregation policy is defined as follows:
- Does not include any filtering criteria. The default policy catches events not captured by the filtering criteria of any other aggregation policies. None can be added.
- Splits events into multiple episodes by the
sourcefield. You can change the field that is used to split events, specify more than one field by which to split events, or choose to not split events by not specifying a field name.
- ITSI stops adding events to the episode if the flow of events into the episode is paused for 7200 seconds (2 hours). This can be changed to a different length of time or to different breaking criteria.
- Episode information such as Episode Title, Episode Description, and Episode Severity are set to be the same as the first event in the episode. You can change these if desired.
- No action rules are defined. You can add action rules if desired.
To view or modify the default aggregation policy, click Configure > Notable Event Aggregation Policies > Default Policy.
As delivered, the default policy does not have Smart Mode enabled. For information on enabling Smart Mode, see Group similar events with Smart Mode in ITSI.
For information on modifying the default aggregation policy or creating a new aggregation policy, see Create a custom aggregation policy in ITSI.
Notable event aggregation policies overview for ITSI
Create a custom aggregation policy in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1