
Customize Episode Review in ITSI
As a Splunk ITSI administrator, you can customize the way that analysts view and interact with events and episodes in Episode Review.
Modify which events analysts can see
By default, ITSI service-level permissions apply to episodes in Episode Review. This means that analysts can only see events from services for which they have read permission. If an event is not associated with a particular service (none of the fields in the event contains service information) then all users can view the event.
You can disable service-level permissions for Episode Review using the itsi_team.conf file.
Prerequisites
- Only users with file system access, such as system administrators, can disable service-level permissions for Episode Review.
- Review the steps in How to edit a configuration file in the Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.
Steps
- Open or create an
itsi_team.conf
file at$SPLUNK_HOME/etc/apps/SA-ITOA/local
. - Under the
[notable_event_review_security_group]
stanza, setdisabled
to1
If service-level permissions are disabled for Episode Review, all ITSI users can see all notable events, regardless of which service they are associated with. However, service information for services that a user does not have read access to are not displayed for notable events. For information about service-level permissions, see Overview of service-level permissions in ITSI.
Modify analyst permissions
Configure read and write permissions on a saved view of Episode Review to restrict permissions for certain roles. By default, read and write permissions are granted to Everyone (all roles) for a newly created view of Episode Review.
Prerequisites
You must have the itoa_admin
or itoa_team_admin
role, or be assigned the configure_perms
capability, to set permissions on a saved Episode Review. For more information, see Configure users and roles in ITSI.
Steps
- Within Episode Review, click the side arrow to show alternate views.
- Click Full Lister Page.
- On the Episode Review lister page, locate the saved view you want to edit and click Edit > Permissions.
- Allow or prevent analysts from reading or writing to the saved Episode Review. Everyone is granted read/write access by default.
- Click Save.
Change Episode Review columns
You can change the columns displayed in a saved Episode Review.
- Click the gear icon to open the View Settings modal.
- Use the Columns Shown section to edit, remove, or change the order of the available columns.
- Add custom columns by selecting Add Column. For example, choose
All Tickets
to display a column with any external tickets linked to the episode. - Click Done.
PREVIOUS About ITSI Event Analytics |
NEXT Set up custom episode actions in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5
Feedback submitted, thanks!