Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

Group similar events with Smart Mode in ITSI

Smart Mode groups notable events in Episode Review based on their similarities. It uses machine learning algorithms to compare event field values and group events that are related to each other. Smart Mode reduces noise and detects patterns in your events so you don't have to. You can enable Smart Mode on the default aggregation policy or on a custom policy.

Do not enable Smart Mode on more than five aggregation policies in a minimum environment (12 CPUs, 12 GB of RAM on the search head), or more than 20 aggregation policies in a performance environment (48 CPUs, 65 GB of RAM on the search head).

  1. Click Configure > Notable Event Aggregation Policies.
  2. Select a custom policy or the Default Policy.
  3. Under Smart Mode grouping, enable Smart Mode.
  4. Click Select fields. A dialog displays the fields found in your notable events from the last 24 hours.
  5. (Optional) Change the time period for the field analysis and click Re-run Analysis.
  6. Choose the fields to compare for event similarity. Recommended fields are selected by default. Do not select more than 15 fields, as this might impact performance.
    Column Description
    Type Category or Text based on the content of the field. Category fields have a distinct value, such as a status field. Text fields consist of a string, such as a description field.
    # of Values The number of values for each field.
    Event Coverage The percentage of events that contain the field. In general, choose fields with high event coverage.
  7. Click Apply.
    An episode preview uses the last 24 hours of data to illustrate event grouping with Smart Mode enabled. Expand an episode to see the individual notable events.
  8. (Optional) Configure other Smart Mode settings:

    Setting Description
    Smart Mode grouping The importance of text similarity versus category similarity. The episodes in the preview update to reflect the importance factors you set. Setting both to 0, half, or 1 gives the factors equal weight.


    Enable Split by Service to provide service context for your events. For example, if two events have similar fields but affect different services, they probably shouldn't be grouped together. If enabled, events are grouped by service first, then by text and category similarity.

    Enable Split by Entity to provide entity context for your events. If enabled, ITSI segregates events based on the entity they belong to before applying grouping. Then it groups by text and category similarity. For example, if there are web status errors and disk errors on the same host that occurred in the same time period, those events are now in the same episode.

    If you split by service AND entity, Smart Mode splits by service first (if the event has service association) and does not split further. If the event has no service association, it splits by entity.

    Split events by field Splits events into separate episodes based on a field name. host is a common field to split by so that separate episodes get created for each host. Use commas to separate multiple fields.
    Break episode The number of seconds that the flow of events is paused before grouping stops.
    Episode information Determines how the information in each episode is named or assigned. If you select Static value for Episode Title or Episode Description, you can use a token such as %title% or %description% to insert the value of a field.
  9. Click Save.

After you save your aggregation policy, events are grouped in Episode Review according to the policy you configured. Custom aggregation policies take precedence over the Default Policy, so if an event meets the criteria of a custom policy, it is grouped according to that policy's rules.

PREVIOUS
Create a custom aggregation policy in ITSI
  NEXT
Correlation search overview for ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters