Splunk® IT Service Intelligence

Administration Manual

Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

About ITSI Event Analytics

Splunk IT Service Intelligence (ITSI) Event Analytics ingests events from multiple data sources and creates and manages notable events. A notable event is an enriched event containing metadata to help you investigate issues in your IT environment.

Event Analytics is equipped to handle huge numbers of events coming in at once. Because these events might be related to each other, they must be grouped together so you can identify the underlying problem. Event Analytics provides a simple way to deal with this huge volume and variety of events.

ITSI automatically groups notable events into episodes and organizes them in Episode Review. An episode is a collection of notable events that are grouped together based on predefined rules. You can manage the properties of episodes and determine which services are impacted by each. You can also browse the history of similar episodes to find out what worked to resolve them, and configure automated actions to take on certain types of episodes.

The Event Analytics SDK is shipped with ITSI to help you manage episodes and create custom episode actions programmatically.

Event Analytics workflow

ITSI Event Analytics is designed to make event storms manageable and actionable. After data is ingested into ITSI from multiple data sources, events proceed through the following workflow:

EAworkflow.png

Step 1: Configure a correlation search

The data itself comes from Splunk indexes, but ITSI only focuses on a subset of all Splunk Enterprise data. This subset is generated by correlation searches. A correlation searches is a specific type of saved search that generates notable events from the search results. For more information, see Correlation search overview for ITSI.

Step 2: Configure an aggregation policy

Once notable events start coming in, they need to be organized so you can start gaining value from them. Configure an aaggregation policy to define which notable events are related to each other and group them into episodes. An episode contains a chronological sequence of events that tells the story of a problem or issue. In the backend, a component called the Rules Engine executes the aggregation policies you configure. For more information, see Notable event aggregation policies overview for ITSI.

Step 3: Configure actions

You can run actions on episodes either automatically or manually. Some actions, like sending an email or pinging a host, are shipped with ITSI. You can also create tickets in external ticketing systems like ServiceNow, Remedy, or VictorOps. Finally, actions can also be modular alerts that are shipped with Splunk add-ons or apps, or custom actions that you configure.

Last modified on 03 March, 2020
PREVIOUS
ITSI Predictive Analytics use case
  NEXT
Customize Episode Review in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters