Dispatch episode actions to a remote ITSI instance

Dispatch episode actions on-premises from a Splunk Cloud instance using hybrid action dispatching. You can configure your on-premises instance to connect to the cloud and get the required information to run the action. Actions include updating the status, severity, and owner of episodes, adding comments, linking tickets, sending an email, pinging a host, and any other custom actions you've configured.

Hybrid action dispatching involves configuring your cloud instance as the Master node and your on-premises instance as the Executor node.

The following tasks are meant to configure your cloud instance as the Master node and your on-premises instance as the Executor node. However, you can configure both roles on on-premises instances if needed.

Prerequisites

• You must have the admin or itoa_admin role to configure action dispatching.
• If an action is configured on the Master node, it must also be configured on the Executor node. If there is a mismatch, the Master node might be able to configure actions that don't exist on the Executor. For information about configuring ServiceNow, VictorOps, and Remedy actions, see Take action on an episode in ITSI in the User IT Service Intelligence manual.

Configure the cloud search head as the Master node

Configure the cloud search head as the Master node. This is the node running core Event Analytics functionality.

1. Create an account on the Master node

Configure a user with the itoa_admin role on the cloud search head.

1. Click Settings > Access controls.
2. In the Users row, click +Add New.
3. Type a name and password.
4. In the Assign to roles Available item(s) list, click itoa_admin to add it to the Selected Item(s) list.
5. Click Save.

2. Configure the Master node

Configure the cloud search head as the Master node.

1. On the Master node, click Configure > Hybrid Action Dispatching.
2. Set the node's role to Master.
3. Click Save.

3. Disable action execution on the Master node

The IT Service Intelligence Actions Queue Consumer processes KV store data and executes episode actions. Disable this component on the Master node so that dispatched actions won't run locally.

1. On the Master node, click Settings > Data inputs.
2. Open the IT Service Intelligence Actions Queue Consumer.
3. Click Disable in the Status column of the alpha, beta, and gamma instances to disable them.

4. Configure receiving on the Master node

Configure the master node to receive all action execution information from the Executor node.

1. On the Master node, click Settings > Forwarding and receiving.
2. Click Configure receiving.
3. Click New Receiving Port.
4. Add the TCP port number of the on-premises instance that will execute actions.
5. Click Save.

Configure the on-premises search head as the Executor node

Configure the on-premises search head as the Executor node. This is the node that executes episode actions. The Executor makes outbound communication on port 8089 to the cloud search head (Master node), pulling data from the Master node.

You do not need to open any inbound ports. The Executor pushes data to the Master node by configuring forwarding on the port you specify.

5. Configure the Executor node

Assign the on-premises search head as the Executor node and configure the remote instance credentials.

1. On the Executor node, click Configure > Hybrid Action Dispatching.
2. Set the node's role to Executor.
3. Configure the following settings:

   Setting	Description
   URI	The location of the Master node running core Event Analytics services. The URI must point to the management port 8089 (by default) of the Splunk platform instance and include a scheme, host, and port.
   Username	The username that you configured when you created an account on the Master node.
   Password	The password used to log in to the Master node.

4. Click Save.
5. Restart the Executor node to point the Action Queue Consumer to the Master node.

6. Disable Event Analytics on the Executor node

Disable Event Analytics on the Executor node so that this component does not run locally.

1. On the Executor node, click Settings > Searches, reports, and alerts.
2. Change the App: context to All.
3. Search for the itsi_event_grouping search. ITSI Event Analytics runs when this search is enabled.
4. In the Actions column, click Edit > Disable to disable Event Analytics on the Executor node.

7. Configure forwarding on the Executor node

Configure forwarding on the Executor node so that it can send action execution information to the Master node.

1. On the Executor node, click Settings > Forwarding and receiving.
2. Click Configure forwarding.
3. Click New Forwarding Host.
4. Enter the host and port number of the Master node.
5. Click Save.

8. Ensure that the Action Queue Consumer is running on the Executor node

Make sure that the Event Analytics saved search is running on the Executor node.

1. On the Executor node, click Settings > Data inputs.
2. Open the IT Service Intelligence Actions Queue Consumer.
3. Make sure the alpha, beta, and gamma instances show Enabled in the Status column. If not, enable them.

Confirm setup

To confirm that you've successfully configured hybrid action dispatching, execute an action from the Master node. After the action runs, it should appear in the Activity tab of the episode.

• To execute an action from Episode Review, see Take action on an episode in ITSI.
• To execute an action through an aggregation policy, see Create a custom aggregation policy in ITSI.