Splunk® IT Service Intelligence

Event Analytics Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Overview of the ITSI Rules Engine

The Rules Engine will eventually be replatformed from an indexed real-time search into a single pipeline in Splunk Data Stream Processor (DSP). To try it out early, sign up to participate on the Splunk ITSI 5.0 (beta) page.

The IT Service Intelligence (ITSI) Rules Engine is a system for continuously processing notable events to allow for event grouping and deduplication, as well as automatic action execution, based on user-defined criteria. The system revolves around a continuously running indexed real-time search that streams all notable events into a custom search command.

A notable event aggregation policy is the fundamental unit of the Rules Engine. Aggregation policies are the data structure the Rules Engine uses to group notable events into episodes. It's also the container for action rules that automate episode actions, such as sending an email or pinging a host. For more information about aggregation policies, see Overview of aggregation policies in ITSI.

Rules Engine search

The Rules Engine search is the component that groups notable events into episodes based on the filtering criteria you define in aggregation policies. The search is similar to the following:

search `itsi_tracked_alerts_index` | itsi_rules_engine | where 1=2

The search runs with a time range of earliest=rt, latest=rt. It includes indexedRealTime=1 to force Splunk to stream all newly indexed events directly to the custom search command itsi_rules_engine. The final WHERE clause ensures the output of the search command doesn't linger in the dispatch directory.

How the Rules Engine functions

The Rules Engine's functionality begins with correlation searches. Correlation searches generate notable events in ITSI, which are stored in the itsi_tracked_alerts index. The Rules Engine saved search accepts notable events into the itsi_rules_engine custom search command. The search command generates the internal structures required for aggregating events into episodes and executing actions.

Episodes are stored via the HTTP Event Collector (HEC) in the itsi_grouped_alerts index. All episode metadata is stored via REST in the itsi_notable_group_system and itsi_notable_group_user KV store collections.

The Rules Engine search periodically polls the configuration database for updates. If a policy indicates some action should be executed, the Rules Engine dispatches a REST request to the Event Management Interface to execute the action. For more information, see Event Management Interface in the REST API Reference manual.

The following diagram illustrates the Rules Engine workflow of aggregating events, storing episodes, and executing actions:

RE.png

Last modified on 11 November, 2020
PREVIOUS
Set up custom episode actions in ITSI
  NEXT
Rules Engine properties reference in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters