Splunk® IT Service Intelligence

Event Analytics Manual

Download manual as PDF

Download topic as PDF

Overview of the ITSI Rules Engine

The IT Service Intelligence (ITSI) Rules Engine is a system for continuously processing notable events to allow for event grouping and deduplication, as well as automatic action execution, based on user-defined criteria. The system revolves around a continuously running indexed real-time search that streams all notable events into a custom search command.

A notable event aggregation policy is the fundamental unit of the Rules Engine. Aggregation policies are the data structure the Rules Engine uses to group notable events into episodes. It's also the container for action rules that automate episode actions, such as sending an email or pinging a host. For more information about aggregation policies, see Overview of aggregation policies in ITSI.

Rules Engine search

The Rules Engine search is the component that groups notable events into episodes based on the filtering criteria you define in aggregation policies. The search is similar to the following:

search `itsi_tracked_alerts_index` | itsi_rules_engine | where 1=2

The search runs with a time range of earliest=rt, latest=rt. It includes indexedRealTime=1 to force Splunk to stream all newly indexed events directly to the custom search command itsi_rules_engine. The final WHERE clause ensures the output of the search command doesn't linger in the dispatch directory.

How the Rules Engine functions

The Rules Engine's functionality begins with correlation searches. Correlation searches generate notable events in ITSI, which are stored in the itsi_tracked_alerts index. The Rules Engine saved search accepts notable events into the itsi_rules_engine custom search command. The search command generates the internal structures required for aggregating events into episodes and executing actions.

Episodes are stored via the HTTP Event Collector (HEC) in the itsi_grouped_alerts index. All episode metadata is stored via REST in the itsi_notable_group_system and itsi_notable_group_user KV store collections.

The Rules Engine search periodically polls the configuration database for updates. If a policy indicates some action should be executed, the Rules Engine dispatches a REST request to the Event Management Interface to execute the action. For more information, see Event Management Interface in the REST API Reference manual.

The following diagram illustrates the Rules Engine workflow of aggregating events, storing episodes, and executing actions:

RE.png

Last modified on 21 March, 2020
PREVIOUS
Dispatch episode actions to a remote ITSI instance
  NEXT
Rules Engine properties reference in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters