
Dispatch episode actions to a remote ITSI instance
Dispatch episode actions on-premises from a Splunk Cloud instance using hybrid action dispatching. You can configure your on-premises instance to connect to the cloud and get the required information to run the action. Actions include updating the status, severity, and owner of episodes, adding comments, linking tickets, sending an email, pinging a host, and any other custom actions you've configured.
Hybrid action dispatching involves configuring your cloud instance as the Master node and your on-premises instance as the Executor node.
Node role | Description |
---|---|
Master | The node running core Event Analytics functionality. Configure aggregation policies and trigger actions from the Master node. |
Executor | The node where actions run. The Executor node receives actions dispatched from the Master node and executes them. |
The following tasks are meant to configure your cloud instance as the Master node and your on-premises instance as the Executor node. However, you can configure both roles on on-premises instances if needed.
Prerequisites
- You must have the
admin
oritoa_admin
role to configure action dispatching. - If an action is configured on the Master node, it must also be configured on the Executor node. If there is a mismatch, the Master node might be able to configure actions that don't exist on the Executor. For information about configuring ServiceNow, VictorOps, and Remedy actions, see Take action on an episode in ITSI in the User IT Service Intelligence manual.
Configure the cloud search head as the Master node
Configure the cloud search head as the Master node. This is the node running core Event Analytics functionality.
1. Create an account on the Master node
Configure a user with the itoa_admin
role on the cloud search head.
- Click Settings > Access controls.
- In the Users row, click +Add New.
- Type a name and password.
- In the Available item(s) list, click itoa_admin to add it to the Selected Item(s) list.
- Click Save.
2. Configure the Master node
Configure the cloud search head as the Master node.
- On the Master node, click Configure > Hybrid Action Dispatching.
- Set the node's role to Master.
- Click Save.
3. Disable action execution on the Master node
The ITSI actions queue consumers process KV store data and executes episode actions. Disable this component on the Master node so dispatched actions don't run locally.
- On the Master node, click Settings > Data inputs.
- Open the IT Service Intelligence Actions Queue Consumer.
- Click Disable in the Status column of the
alpha
,beta
, andgamma
instances to disable them.
4. Configure receiving on the Master node
Configure the master node to receive all action execution information from the Executor node.
- On the Master node, click Settings > Forwarding and receiving.
- Click Configure receiving.
- Click New Receiving Port.
- Add the TCP port number of the on-premises instance that will execute actions.
- Click Save.
Configure the on-premises search head as the Executor node
Configure the on-premises search head as the Executor node. This is the node that executes episode actions. The Executor makes outbound communication on port 8089 to the cloud search head (Master node), pulling data from the Master node.
You do not need to open any inbound ports. The Executor pushes data to the Master node by configuring forwarding on the port you specify.
5. Configure the Executor node
Assign the on-premises search head as the Executor node and configure the remote instance credentials.
- On the Executor node, click Configure > Hybrid Action Dispatching.
- Set the node's role to Executor.
- Configure the following settings:
Setting Description URI The location of the Master node running core Event Analytics services. The URI must point to the management port 8089 (by default) of the Splunk platform instance and include a scheme, host, and port. Username The username that you configured when you created an account on the Master node. Password The password used to log in to the Master node. - Click Save.
- Restart the Executor node to point the Action Queue Consumer to the Master node.
6. Disable the Rules Engine on the Executor node
Disable the Rules Engine on the Executor node so it doesn't run locally.
- On the Executor node, click Settings > Searches, reports, and alerts.
- Change the App: context to
All
. - Search for the
itsi_event_grouping
search. The Rules Engine runs when this search is enabled. - In the Actions column, click Edit > Disable to disable the Rules Engine,
7. Configure forwarding on the Executor node
Configure forwarding on the Executor node so that it can send action execution information to the Master node.
- On the Executor node, click Settings > Forwarding and receiving.
- Click Configure forwarding.
- Click New Forwarding Host.
- Enter the host and port number of the Master node.
- Click Save.
8. Make sure the action queue consumers are running on the Executor node
Perform the following steps on the Executor node:
- On the Executor node, click Settings > Data inputs.
- Open the IT Service Intelligence Actions Queue Consumer.
- Make sure the
alpha
,beta
, andgamma
instances show Enabled in the Status column. If not, enable them.
9. (Optional) Enable additional action queue consumers
ITSI provides five preconfigured action queue consumers with only three enabled by default. If actions show high latency (30+ seconds to run an action), enable more action queue consumers. For scaling purposes you can enable additional consumers on a single instance first. If you need additional action throughput, consider scaling out to a second executor node.
The default settings for action queue consumers, such as execution delay time and batch size, can support most ITSI environments. If your environment generates very high throughput, such as 1000 or more actions per minute, consider increasing the batch size for your action queue consumers.
Confirm setup
To confirm that you've successfully configured hybrid action dispatching, execute an action from the Master node. After the action runs, it should appear in the Activity tab of the episode.
- To execute an action from Episode Review, see Take action on an episode in ITSI.
- To execute an action through an aggregation policy, see Create a custom aggregation policy in ITSI.
PREVIOUS Enable bidirectional ticketing with ServiceNow in ITSI |
NEXT Ingest third-party alerts as ITSI notable events |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5
Feedback submitted, thanks!