About ITSI Event Analytics
Splunk IT Service Intelligence (ITSI) Event Analytics ingests events from multiple data sources and creates and manages notable events. A notable event is an enriched event containing metadata to help you investigate issues in your IT environment.
Event Analytics is equipped to handle huge numbers of events coming in at once. Because these events might be related to each other, they must be grouped together so you can identify the underlying problem. Event Analytics provides a simple way to deal with this huge volume and variety of events.
ITSI automatically groups notable events into episodes and organizes them in Episode Review. An episode is a collection of notable events that are grouped together based on predefined rules. You can manage the properties of episodes and determine which services are impacted by each. You can also browse the history of similar episodes to find out what worked to resolve them, and configure automated actions to take on certain types of episodes.
The Event Analytics SDK is shipped with ITSI to help you manage episodes and create custom episode actions programmatically.
Event Analytics workflow
ITSI Event Analytics is designed to make event storms manageable and actionable. After data is ingested into ITSI from multiple data sources, events proceed through the following workflow:
Step 1: Configure a correlation search
The data itself comes from Splunk indexes, but ITSI only focuses on a subset of all Splunk Enterprise data. This subset is generated by correlation searches. A correlation searches is a specific type of saved search that generates notable events from the search results. For more information, see Correlation search overview for ITSI.
Step 2: Configure an aggregation policy
Once notable events start coming in, they need to be organized so you can start gaining value from them. Configure an aaggregation policy to define which notable events are related to each other and group them into episodes. An episode contains a chronological sequence of events that tells the story of a problem or issue. In the backend, a component called the Rules Engine executes the aggregation policies you configure. For more information, see Notable event aggregation policies overview for ITSI.
Step 3: Configure actions
You can run actions on episodes either automatically or manually. Some actions, like sending an email or pinging a host, are shipped with ITSI. You can also create tickets in external ticketing systems like ServiceNow, Remedy, or VictorOps. Finally, actions can also be modular alerts that are shipped with Splunk add-ons or apps, or custom actions that you configure.
ITSI Predictive Analytics use case
Customize Episode Review in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5