Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.4.x will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. Click here for the latest version.
Acrobat logo Download topic as PDF

Customize Episode Review in ITSI

As a Splunk ITSI administrator, you can customize the way that analysts view and interact with events and episodes in Episode Review.

Modify which events analysts can see

By default, ITSI service-level permissions apply to episodes in Episode Review. This means that analysts can only see events from services for which they have read permission. If an event is not associated with a particular service (none of the fields in the event contains service information) then all users can view the event.

You can disable service-level permissions for Episode Review using the itsi_team.conf file.


  • Only users with file system access, such as system administrators, can disable service-level permissions for Episode Review.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.


  1. Open or create an itsi_team.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local.
  2. Under the [notable_event_review_security_group] stanza, set disabled to 1

If service-level permissions are disabled for Episode Review, all ITSI users can see all notable events, regardless of which service they are associated with. However, service information for services that a user does not have read access to are not displayed for notable events. For information about service-level permissions, see Overview of service-level permissions in ITSI.

Modify analyst permissions

Configure read and write permissions on a saved view of Episode Review to restrict permissions for certain roles. By default, read and write permissions are granted to Everyone (all roles) for a newly created view of Episode Review.


You must have the itoa_admin or itoa_team_admin role, or be assigned the configure_perms capability, to set permissions on a saved Episode Review. For more information, see Configure users and roles in ITSI.


  1. Within Episode Review, click the side arrow to show alternate views.
  2. Click Full Lister Page.
  3. On the Episode Review lister page, locate the saved view you want to edit and click Edit > Permissions.
  4. Allow or prevent analysts from reading or writing to the saved Episode Review. Everyone is granted read/write access by default.
  5. Click Save.

Change Episode Review columns

You can change the columns displayed in a saved Episode Review.

  1. Click the gear icon to open the View Settings modal.
  2. Use the Columns Shown section to edit, remove, or change the order of the available columns.
  3. Add custom columns by selecting Add Column. For example, choose All Tickets to display a column with any external tickets linked to the episode.
  4. Click Done.
Last modified on 03 March, 2020
About ITSI Event Analytics
Set up custom episode actions in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters