Configure episode information and episode dashboards in ITSI
Within an aggregation policy you can specify how you want episode information to appear in Episode Review. The Episode Information fields in an aggregation policy apply to all episodes grouped by that policy. The information is at the episode level and is separate from the information for the underlying notable events in the episode.
Changing a policy's episode information fields breaks all active episodes associated with that aggregation policy and starts a new episode. Make sure to carefully plan the timing of changes to these fields to mitigate potential risks associated with this behavior.
Configure episode information
- Within ITSI, click Configuration > Notable Event Aggregation Policies and open or create a policy.
- On the Filtering Criteria and Instructions tab, expand Episode Information.
- Configure the following settings for each episode field:
Component Description Same as the first event Set the episode fields to the values from the first event in the episode. If there are multiple events in an episode with the same timestamp, the policy sorts them by milliseconds to determine the first event in an episode. Same as the last event Continually updates the episode fields as each new event enters the episode. If there are multiple events in an episode with the same timestamp, the policy sorts them by milliseconds to determine the last event in an episode. Static value Provide specific field values. If you select
Static valuefor Episode Title or Episode Description, you can use a token such as %title% or %description% to insert the value of a field. If you provide a static value for Episode Instructions, you can include custom instructions in Markdown.
All Events (for episode instructions) If you're ingesting event instructions through your correlation search, this setting includes a deduplicated list of instructions for each event included in the episode.
Add an episode dashboard
You can add a custom JSON-formatted dashboard to display in each episode grouped by an aggregation policy. Episode dashboards leverage the definitions from the Splunk Dashboards app. For formatting requirements and guidelines, see How the dashboard definition is structured in the source editor.
Tip: You can use the beta glass table editor within ITSI to create and test your dashboard definitions before adding them to an aggregation policy. The beta glass table framework also leverages Splunk Dashboard definitions. Use the built-in capabilities of the glass table framework to build out your dashboard using KPI and service health score visualizations, then paste the finalized JSON into the aggregation policy dashboard configuration. For more information about building beta glass tables, see Overview of the beta glass table editor in ITSI.
Once you add a dashboard, it appears on a separate Dashboard tab within each episode grouped by that policy. Analysts can reference this dashboard while investigating an episode in order to more efficiently troubleshoot and find root cause. You can add a maximum of one dashboard to an episode.
Configure episode filtering and breaking criteria in ITSI
Configure episode action rules in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only