Splunk® IT Service Intelligence

SAI Integration

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.3.x will no longer be supported as of July 17, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Group alerts from the Splunk App for Infrastructure in ITSI

ITSI includes a pre-built notable event aggregation policy called "Normalized Policy (Splunk App for Infrastructure)" that groups the notable events created for Splunk App for Infrastructure alerts in Episode Review. If the Normalized Correlation Search is enabled, this policy also groups notable events for other third-party alerts that use ITSI normalized fields.

The Normalized Policy (Splunk App for Infrastructure) groups notable events created from the following two correlation searches:

  • Splunk App for Infrastructure Alerts
  • Normalized Correlation Search

You can modify this policy to meet your needs.

Enable the Normalized Policy (Splunk App for Infrastructure)

If you enable alert integration in the Integrate with Splunk App for Infrastructure dialog, the Normalized Policy (Splunk App for Infrastructure) aggregation policy is enabled for you, along with the Splunk App for Infrastructure Alerts correlation search. If you enabled the Splunk App for Infrastructure Alerts correlation search directly, you need to enable the Normalized Policy (Splunk App for Infrastructure) aggregation policy if you want to use it.

To enable the Normalized Policy (Splunk App for Infrastructure) aggregation policy, perform the following steps:

  1. In ITSI, select Configure > Notable Event Aggregation Policies from the top menu bar.
  2. In the Normalized Policy (Splunk App for Infrastructure) line, toggle the switch to Enabled.

For more information about notable event aggregation policies, see Notable event aggregation policies in ITSI.

Normalized Policy (Splunk App for Infrastructure) configuration

The Normalized Policy (Splunk App for Infrastructure) aggregation policy has the following configuration:

Setting Description
Include the events if Events are filtered by the following ITSI normalized fields:
  • itsiAlert
  • itsiInstance
  • itsiSubinstance
  • itsiSeverity
Split events by field Events are split into multiple episodes by:
  • itsiAlert
  • itsiInstance
  • itsiSubInstance
Break episode The episode is broken:
  • If the flow of events into the episode is paused for 3600 seconds (1 hour)

OR

  • If an event occurs for which severity = Normal.
Episode information
  • Episode Title: Normalized Alert for %itsiInstance% (%itsiSubInstance%) : %itsiAlert%
  • Episode Description: Same as last event
  • Episode Severity: Same as last event
  • Episode Assignee: Same as first event
  • Episode Status: Same as first event
Action Rules
  • If the episode is broken, and the number of events in this episode is == 1, then change status to Closed for the episode.
  • If the episode is broken, and the number of events in this episode is >= 2, then change status to Resolved for the episode.

How the aggregation policy works

If the first event in the episode has a severity of Normal, the episode breaks and no other events are added to it. If there is only one event in the episode, the status changes to Closed.

If two or more events are added to an episode with a severity other than Normal, and then a Normal event comes in (a clearing event):

  • The episode breaks.
  • The severity is set to Normal.
  • The status changes to Resolved.

If an episode contains events with a severity other than Normal:

  • The episode breaks if no new events come in for an hour.
  • The severity is set to the same as the last event.
  • The status changes to Resolved because enough time has passed that a problem most likely no longer exists.

This aggregation policy lets you filter Episode Review by Status to get the following information:

Status Description
New Alerts that are active (the most recent severity is not Normal).
Resolved Alerts that are no longer active (the most recent severity is Normal or no new events have been received for an hour).
Closed Alerts that can be ignored since they were only Normal.

See Overview of Episode Review in ITSI for information about Episode Review.

Last modified on 19 March, 2020
PREVIOUS
Ingest Splunk App for Infrastructure alerts into ITSI as notable events
  NEXT
Overview of creating an ITSI service using an SAI service template

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters