Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

About the default aggregation policy in ITSI

The ITSI default aggregation policy groups notable events that do not match the filtering criteria of any other aggregation policies. If you do not want to create your own aggregation policies, you can use the default policy to group events. If any aggregation policies have been created and are enabled, the default policy will capture only events that do not match the criteria of one of these policies.

Only a user assigned the itoa_admin role, or a role that inherits from itoa_admin, can modify the default aggregation policy.

The default aggregation policy is defined as follows:

    • Does not include any filtering criteria. The default policy catches events not captured by the filtering criteria of any other aggregation policies. None can be added.
    • Splits events into multiple episodes by the source field. You can change the field that is used to split events, specify more than one field by which to split events, or choose to not split events by not specifying a field name.
    • ITSI stops adding events to the episode if the flow of events into the episode is paused for 7200 seconds (2 hours). This can be changed to a different length of time or to different breaking criteria.
    • Episode information such as Episode Title, Episode Description, and Episode Severity are set to be the same as the first event in the episode. You can change these if desired.
    • No action rules are defined. You can add action rules if desired.

To view or modify the default aggregation policy, click Configure > Notable Event Aggregation Policies > Default Policy.

As delivered, the default policy does not have Smart Mode enabled. For information on enabling Smart Mode, see Group similar events with Smart Mode in ITSI.

For information on modifying the default aggregation policy or creating a new aggregation policy, see Create a custom aggregation policy in ITSI.

Notable event aggregation policies overview for ITSI
Create a custom aggregation policy in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters