The following are the spec and example files for
# This file contains possible attributes and values for generating ITSI # notable events and configuring episode actions. # # There is an alert_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/. # To set custom configurations, place an alert_actions.conf in # $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk to enable # configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top # of the file. # * Each .conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in the # file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. ttl = <integer> [p] * The minimum time to live (TTL), in seconds, of the search artifacts if this action is triggered. * If p follows the integer, then the integer is the number of scheduled periods. * Default: 600 (10 minutes) maxtime = <integer> [m|s|h|d] * The maximum amount of time that the execution of an action is allowed to take before the action is aborted. * Use the d, h, m and s suffixes to define the period of time: d = day, h = hour, m = minute and s = second. For example: 5d means 5 days. * If you do not include a suffix, the time defaults to seconds. * Default: 600 (10 minutes) maxresults = <integer> * The maximum number of search results sent via the alert. * Default: 10000 is_custom = <boolean> * Specifies whether the alert action is based on the custom alert actions framework and is supposed to be listed in the search UI. * Default: 1 label = <string> * Defines the label shown in the UI. * If not specified, the stanza name is used instead. description = <string> * Defines the description shown in the UI. payload_format = [xml|json] * The format in which the alert script receives the configuration via STDIN. * Default: json
* Generate notable events under this stanza name. * ITSI sends notable events to the ITSI summary index. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. param.http_token_name = <string> * The HTTP token name. * Optional. * If you do not provide a token name, ITSI obtains one token using the index and sourcetype parameters below. param.index = <string> * The index name. * This setting is required if you do not provide an HTTP token for the 'param.http_token_name' setting. * Default: itsi_tracked_alerts param.sourcetype = <string> * The sourcetype. * This setting is used if you do not provide an HTTP token for the 'param.http_token_name' setting. * Default: itsi_notable:event param.event_identifier_fields = <comma-separated list> * A list of fields that are used to identify event duplication. * Default: source param.search_type = <string> * The search type. * Default: custom param.is_use_event_time = <boolean> * If "1", ITSI uses the actual event time. * If "0", ITSI uses the time the event was indexed. * Default: 0 param.event_field_max_length = <integer> * The maximum field length. * Default: 10000
* Ping a host in one or more ITSI episodes under this stanza name. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. param.host_to_ping = <string> * The field from the episode representing the host to ping. * If your event contains the field 'server', set to '%server%'. * When ITSI executes the alert action, it extracts the value corresponding to the token value from event data and tries to ping it. * If you set a value that does not begin and end with '%', ITSI considers this to be the value to ping. No extractions are done in this case. * Default: %orig_host%
* Set options to associate an episode with a ticket from an external ticketing system under this stanza name. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. param.ticket_system = <string> * The name of the external ticketing system. * This setting is required to create/update/delete a ticket. * There is no default. param.ticket_id = <string> * The ID of the specific ticket to link to. * This setting is required to create/update/delete a ticket. * There is no default. param.ticket_url = <string> * The drilldown link to the ticket in the external ticketing system. * This setting is required to create/update a ticket. * There is no default. param.operation = <upsert|delete> * Specifies the type of action to take on the ticket. * If "upsert", ITSI inserts or updates existing fields. * If "delete", ITSI deletes the ticket. * There is no default. param.kwargs = <dict> * A dictionary of additional fields to pass to the ticket. * Optional. * There is no default.
param.account = <list> * The name of the account in which the incident is created. * Required. param.state = <string> * The state of the incident. * Optional. param.configuration_item = <string> * Configuration item. * Optional. param.contact_type = <string> * The method by which the incident was reported. * Optional. param.assignment_group = <string> * The name of the assignment group associated with the incident. * Optional. param.category = <string> * The category of the incident. * Required. param.subcategory = <string> * The subcategory of the incident. * Optional. param.impact = <number> * The impact value of the incident. * Optional. param.urgency = <number> * The urgency of the incident. * Optional. param.priority = <number> * The priority of the incident, determined by the impact and urgency values. * Optional. param.short_description = <string> * A brief description of the ITSI episode. * Required. param.correlation_id = <string> * A brief description of the ServiceNow incident. * Optional. param.splunk_url = <link> * An external drilldown link from the ServiceNow incident. * You can use this setting to link back to the corresponding episode in ITSI. * Optional. param.custom_fields = <string> * Custom fields. * Optional.
List of ITSI configuration files
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.2