Notable event aggregation policies overview for ITSI
Notable event aggregation polices help you group notable events into episodes to organize them in Episode Review. ITSI provides a default aggregation policy to group notable events. You can also create your own aggregation policies if you are familiar with your data and want to define very precisely how events are grouped. You can use Smart Mode on any aggregation policy to employ machine learning algorithms to group events. The process of managing notable events through the use of aggregation policies is often referred to as "event analytics."
Aggregation policies group notable events based on rules that you define. You can also consolidate duplicate events, suppress alerts, or close episodes when a clearing event is received.
Aggregated notable events are displayed in Episode Review when event grouping is enabled in View Settings. These episodes have their own title, description, severity, status, and assignee, separate from the individual notable events within the episode.
A notable event can belong to multiple episode if it matches the criteria for those episodes.
The following aggregation policies are delivered with ITSI:
Notable Event Actions SDK reference
About the default aggregation policy in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0