Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

Notable event aggregation policies overview for ITSI

Notable event aggregation polices help you group notable events into episodes to organize them in Episode Review. ITSI provides a default aggregation policy to group notable events. You can also create your own aggregation policies if you are familiar with your data and want to define very precisely how events are grouped. You can use Smart Mode on any aggregation policy to employ machine learning algorithms to group events. The process of managing notable events through the use of aggregation policies is often referred to as "event analytics."

Aggregation policies group notable events based on rules that you define. You can also consolidate duplicate events, suppress alerts, or close episodes when a clearing event is received.

Aggregated notable events are displayed in Episode Review when event grouping is enabled in View Settings. These episodes have their own title, description, severity, status, and assignee, separate from the individual notable events within the episode.

A notable event can belong to multiple episode if it matches the criteria for those episodes.

The following aggregation policies are delivered with ITSI:

See also

PREVIOUS
Notable Event Actions SDK reference
  NEXT
About the default aggregation policy in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters