Overview of the ITSI Rules Engine
The Rules Engine will eventually be replatformed from an indexed real-time search into a single pipeline in Splunk Data Stream Processor (DSP). To try it out early, sign up to participate on the Splunk ITSI 5.0 (beta) page.
The IT Service Intelligence (ITSI) Rules Engine is a system for continuously processing notable events to allow for event grouping and deduplication, as well as automatic action execution, based on user-defined criteria. The system revolves around a continuously running indexed real-time search that streams all notable events into a custom search command.
A notable event aggregation policy is the fundamental unit of the Rules Engine. Aggregation policies are the data structure the Rules Engine uses to group notable events into episodes. It's also the container for action rules that automate episode actions, such as sending an email or pinging a host. For more information about aggregation policies, see Overview of aggregation policies in ITSI.
Rules Engine search
The Rules Engine search is the component that groups notable events into episodes based on the filtering criteria you define in aggregation policies. The search is similar to the following:
search `itsi_tracked_alerts_index` | itsi_rules_engine | where 1=2
The search runs with a time range of
latest=rt. It includes
indexedRealTime=1 to force Splunk to stream all newly indexed events directly to the custom search command
itsi_rules_engine. The final WHERE clause ensures the output of the search command doesn't linger in the dispatch directory.
How the Rules Engine functions
The Rules Engine's functionality begins with correlation searches. Correlation searches generate notable events in ITSI, which are stored in the
itsi_tracked_alerts index. The Rules Engine saved search accepts notable events into the
itsi_rules_engine custom search command. The search command generates the internal structures required for aggregating events into episodes and executing actions.
Episodes are stored via the HTTP Event Collector (HEC) in the
itsi_grouped_alerts index. All episode metadata is stored via REST in the
itsi_notable_group_user KV store collections.
The Rules Engine search periodically polls the configuration database for updates. If a policy indicates some action should be executed, the Rules Engine dispatches a REST request to the Event Management Interface to execute the action. For more information, see Event Management Interface in the REST API Reference manual.
The following diagram illustrates the Rules Engine workflow of aggregating events, storing episodes, and executing actions:
Set up custom episode actions in ITSI
Rules Engine properties reference in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0