Ingest Splunk App for Infrastructure alerts into ITSI as notable events

ITSI can ingest alerts from the Splunk App for Infrastructure (SAI) as notable events in Episode Review. The integration uses a built-in correlation search called Splunk App for Infrastructure Alerts The correlation search generates a notable event for each SAI alert. Each notable event contains a drilldown link to the entity on the SAI Analysis page.

Integrate alerts from SAI using one of the following methods:

• Enable alert integration in the Integrate with integration dialog that appears the first time ITSI detects SAI on the same Splunk Enterprise instance. This enables the built-in correlation search as well as the built-in aggregation policy to group the alerts. You can also navigate to the integration dialog from the Entities lister page in ITSI.
• Enable the built-in correlation search directly. You also need to enable the built-in aggregation policy if you want to group the alerts in Episode Review.

After you enable alert integration, SAI alerts flow into ITSI in real-time. You cannot select a subset of alerts to import.

To stop receiving alerts from Splunk App for Infrastructure, disable the Splunk App for Infrastructure correlation search. Alternatively, you can navigate to the Integrate with Splunk App for Infrastructure dialog from the Entities lister page and disable alert integration there.

Start ingesting Splunk App for Infrastructure alerts

Integration between SAI and ITSI is enabled by default. If you did not integrate alerts in the initial integration dialog, as defined in Integrate with the Splunk App for Infrastructure, you can manually select to integrate alerts. See Manually enable or disable integration.

To bring in alerts from Splunk App for Infrastructure using the integration dialog, perform the following steps:

1. Log into ITSI with a Splunk admin account.
2. The SAI integration dialog opens the first time ITSI detects SAI on the same Splunk Enterprise instance. If the dialog does not open, select Configure > Entities from the top menu bar and click Manage Integrations to launch it.
3. Enable the second option (integrate alerts) and click Save.
   This enables the Splunk App for Infrastructure Alerts correlation search and the Normalized Policy (Splunk App for Infrastructure) aggregation policy.
4. Click View Alerts in Episode Review or close the dialog and select Episode Review from the top menu bar.
5. Within a couple of minutes, you will see notable events come in for any alerts generated by SAI. If Episode View is on, you will see episodes created by the Normalized Policy (Splunk App for Infrastructure) aggregation policy.

You can navigate back to the Integrate with Splunk App for Infrastructure dialog from the Entities lister page at any time to enable or disable entity and alert integration.

See also

• If you don't see notable events for SAI alerts within a few minutes, see Alerts from the Splunk App for Infrastructure are not imported into ITSI in the Troubleshooting section.
• See Group alerts that come from the Splunk App or Infrastructure for information on grouping Splunk App for Infrastructure notable events.

Stop receiving alerts from Splunk App for Infrastructure

The Splunk App for Infrastructure Alerts correlation search ingests alerts from Splunk App for Infrastructure into ITSI. To stop receiving alerts from the Splunk App for Infrastructure, disable the Splunk App for Infrastructure correlation search.

1. In ITSI, click Configure > Correlation Searches from the top menu bar.
2. In the Correlation Searches lister page, toggle the Disabled switch for the Splunk App for Infrastructure Alerts correlation search.

To group notable events generated by the Splunk App for Infrastructure Alerts correlation search in Episode Review, enable the Normalized Policy (Splunk App for Infrastructure) aggregation policy.

For search head cluster environments, you must disable the correlations search in Splunk App for Infrastructure from the savedsearch.conf file to disable the Splunk App for Infrastructure Alerts stanza. You cannot disable the correlation search from the data input user interface.

About the Splunk App for Infrastructure Alerts correlation search

The Splunk App for Infrastructure Alerts correlation search searches the infra_alerts index for entity alerts from SAI, adds normalized fields for ITSI to the event data, and creates a notable event for each alert. The alert severity level in SAI is mapped to the corresponding severity level in ITSI.

The following table describes the mapping between severity levels in ITSI and SAI:

The notable events that are generated from this correlation search have the following naming format:

<Entity title> <metric_name> <state_change: "degraded" or "improved">

For example: webserver01.splunk.com cpu.system degraded.

The correlation search adds the following ITSI normalized fields to the notable event:

• itsiAlert
• itsiDetails
• itsiInstance
• itsiRawStatus
• itsiSeverity
• itsiSubinstance

The Normalized Policy (Splunk App for Infrastructure) aggregation policy uses some of these fields to group the events together.

The correlation search also provides a drilldown link from the notable event to the entity in the Analysis page of the Splunk App for Infrastructure and a drilldown search that opens the Splunk search for the entity alert.

You can modify the correlation search to fit your needs. See Create correlation searches in ITSI for information about correlation searches.

About the Normalized correlation search

ITSI delivers a second correlation search called the Normalized Correlation Search. If you enable this correlation search, ITSI generates notable events for all third-party alerts that contain the following normalized fields, including those from the Splunk App for Infrastructure:

• itsiAlert
• itsiDetails
• itsiInstance
• itsiRawStatus
• itsiSeverity
• itsiSubinstance

The Normalized Policy (Splunk App for Infrastructure) groups events from both correlation searches into episodes. For more information, see Group alerts from the Splunk App for Infrastructure in ITSI.