Group alerts from the Splunk App for Infrastructure in ITSI
ITSI includes a pre-built notable event aggregation policy called "Normalized Policy (Splunk App for Infrastructure)" that groups the notable events created for Splunk App for Infrastructure alerts in Episode Review. If the Normalized Correlation Search is enabled, this policy also groups notable events for other third-party alerts that use ITSI normalized fields.
The Normalized Policy (Splunk App for Infrastructure) groups notable events created from the following two correlation searches:
- Splunk App for Infrastructure Alerts
- Normalized Correlation Search
You can modify this policy to meet your needs.
Enable the Normalized Policy (Splunk App for Infrastructure)
If you enable alert integration in the Integrate with Splunk App for Infrastructure dialog, the Normalized Policy (Splunk App for Infrastructure) aggregation policy is enabled for you, along with the Splunk App for Infrastructure Alerts correlation search. If you enabled the Splunk App for Infrastructure Alerts correlation search directly, you need to enable the Normalized Policy (Splunk App for Infrastructure) aggregation policy if you want to use it.
To enable the Normalized Policy (Splunk App for Infrastructure) aggregation policy, perform the following steps:
- In ITSI, select Configure > Notable Event Aggregation Policies from the top menu bar.
- In the Normalized Policy (Splunk App for Infrastructure) line, toggle the switch to Enabled.
For more information about notable event aggregation policies, see Notable event aggregation policies in ITSI.
Normalized Policy (Splunk App for Infrastructure) configuration
The Normalized Policy (Splunk App for Infrastructure) aggregation policy has the following configuration:
|Include the events if||Events are filtered by the following ITSI normalized fields:
|Split events by field||Events are split into multiple episodes by:
|Break episode||The episode is broken:
How the aggregation policy works
If the first event in the episode has a severity of Normal, the episode breaks and no other events are added to it. If there is only one event in the episode, the status changes to Closed.
If two or more events are added to an episode with a severity other than Normal, and then a Normal event comes in (a clearing event):
- The episode breaks.
- The severity is set to Normal.
- The status changes to Resolved.
If an episode contains events with a severity other than Normal:
- The episode breaks if no new events come in for an hour.
- The severity is set to the same as the last event.
- The status changes to Resolved because enough time has passed that a problem most likely no longer exists.
This aggregation policy lets you filter Episode Review by Status to get the following information:
|New||Alerts that are active (the most recent severity is not Normal).|
|Resolved||Alerts that are no longer active (the most recent severity is Normal or no new events have been received for an hour).|
|Closed||Alerts that can be ignored since they were only Normal.|
See Overview of Episode Review in ITSI for information about Episode Review.
Ingest Splunk App for Infrastructure alerts into ITSI as notable events
Overview of creating an ITSI service using an SAI service template
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5