Splunk® IT Service Intelligence

Event Analytics Manual

Download manual as PDF

Download topic as PDF

Configure episode information and episode dashboards in ITSI

Within an aggregation policy you can specify how you want episode information to appear in Episode Review. The Episode Information fields in an aggregation policy apply to all episodes grouped by that policy. The information is at the episode level and is separate from the information for the underlying notable events in the episode.

Changing a policy's episode information fields breaks all active episodes associated with that aggregation policy and starts a new episode. Make sure to carefully plan the timing of changes to these fields to mitigate potential risks associated with this behavior.

Configure episode information

  1. Within ITSI, click Configuration > Notable Event Aggregation Policies and open or create a policy.
  2. On the Filtering Criteria and Instructions tab, expand Episode Information.
  3. Configure the following settings for each episode field:
    Component Description
    Same as the first event Set the episode fields to the values from the first event in the episode. If there are multiple events in an episode with the same timestamp, the policy sorts them by milliseconds to determine the first event in an episode.
    Same as the last event Continually updates the episode fields as each new event enters the episode. If there are multiple events in an episode with the same timestamp, the policy sorts them by milliseconds to determine the last event in an episode.
    Static value Provide specific field values. If you select Static value for Episode Title or Episode Description, you can use a token such as %title% or %description% to insert the value of a field. If you provide a static value for Episode Instructions, you can include custom instructions in Markdown.
    All Events (for episode instructions) If you're ingesting event instructions through your correlation search, this setting includes a deduplicated list of instructions for each event included in the episode.

Add an episode dashboard

You can add a custom JSON-formatted dashboard to display in each episode grouped by an aggregation policy. Episode dashboards leverage the definitions from the Splunk Dashboards app. For formatting requirements and guidelines, see How the dashboard definition is structured in the source editor.

The first or last notable event's fields are available to use as tokens in the dashboard:

Tip: You can use the beta glass table editor within ITSI to create and test your dashboard definitions before adding them to an aggregation policy. The beta glass table framework also leverages Splunk Dashboard definitions. Use the built-in capabilities of the glass table framework to build out your dashboard using KPI and service health score visualizations, then paste the finalized JSON into the aggregation policy dashboard configuration. For more information about building beta glass tables, see Overview of the beta glass table editor in ITSI.

Once you add a dashboard, it appears on a separate Dashboard tab within each episode grouped by that policy. Analysts can reference this dashboard while investigating an episode in order to more efficiently troubleshoot and find root cause. You can add a maximum of one dashboard to an episode.

Last modified on 06 October, 2020
Configure episode filtering and breaking criteria in ITSI
Configure episode action rules in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters